b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n                              Management Advisory Report\n                                   On Cybersecurity\n\n\n\n\nThis report was prepared on behalf of Council of the Inspectors General on Integrity\nand Efficiency\n\n\n\n\nOIG-11-121                                                                             September 2011\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                    September 30, 2011\n\n                                          Preface\n\nAt the request of the Council of the Inspectors General on Integrity and Efficiency\n(CIGIE) Homeland Security Roundtable (HSR) and with the approval of the CIGIE\nExecutive Council, the Department of Homeland Security (DHS) Office of Inspector\nGeneral (OIG) chaired a Working Group of attorneys and information technology (IT)\nprofessionals (IT security professionals, IT auditors, and other IT practitioners) and other\ncybersecurity experts from OIGs of various sizes, including representatives of the\npresidentially appointed and designated federal entity Inspectors General (IG)\ncommunity.\n\nThe CIGIE Cybersecurity Working Group was charged with undertaking a two-part\nreview in which it would (1) identify recommended practices for maintaining the\nintegrity of OIG IT systems and protecting them against internal threats and\nvulnerabilities and (2) examine the role of the IG community in current federal\ncybersecurity initiatives.\n\nI am pleased to provide the CIGIE Cybersecurity Working Group\xe2\x80\x99s recommended\npractices for maintaining the integrity of OIG IT systems. This report is the product of\nthe first part of the review. It is based on the subject matter expertise of IT specialists\nfrom a representative group of the IG community, discussions with industry\nprofessionals, legal research, and a review of applicable websites and documents. These\nrecommended practices are intended to help the IG community address the many issues\nand demands that OIGs and government managers face today. The recommendations\nherein have been developed to the best knowledge available to the Working Group. We\ntrust that this report will result in more secure OIG IT systems. DHS OIG would like to\nexpress its appreciation for the considerable amount of time dedicated to this effort.\n\nI would like to acknowledge the support provided to this cybersecurity effort by all the\nworking group participants listed in appendix C. Of particular note is the work of Chris\nOrcutt, Patrick Nadon, Jefferson Gilkeson, Jaime Vargas, Rachel Magnus, Phyllis Bryan,\nAdam Berlin, Robert Duffy, and Rene Lee to produce a final document that represents\nthe needs of the IG community.\n\n\n\n\n                                      Charles K. Edwards\n                                      Acting Inspector General\n\x0cTable of Contents\nThe Council of the Inspectors General on Integrity and Efficiency ...................................1\n\nExecutive Summary .............................................................................................................3\n\nBackground ..........................................................................................................................4\n\nResults of Review ................................................................................................................4\n   Asset Management and Leveraging Resources .............................................................4\n   Identity, Credential, and Access Management ............................................................11\n   Incident Detection and Handling .................................................................................18\n   Scalable Trustworthy Systems .....................................................................................28\n\nAppendices\n     Appendix A:           Reference List of Relevant Guidance, Laws, and Regulations ...........35\n     Appendix B:           Summary of Survey Results.................................................................42\n     Appendix C:           Emergency Management Case Study ..................................................52\n     Appendix D:           Contributors to this Report...................................................................55\n\nAbbreviations\n     CIGIE                       Council of the Inspectors General on Integrity and Efficiency\n     CIO                         Chief Information Officer\n     CIS                         Center for Internet Security\n     CM                          configuration management\n     CNCI                        Comprehensive National Cybersecurity Initiative\n     COOP                        Continuity of Operations Plan\n     CPR                         Cyberspace Policy Review\n     DHS                         Department of Homeland Security\n     DOD                         Department of Defense\n     EH-11                       Eagle Horizon 2011 Exercise\n     FDCC                        Federal Desktop Core Configuration\n     FedRAMP                     Federal Risk and Authorization Management Program\n     FEMA                        Federal Emergency Management Agency\n     FICAM                       Federal Identity, Credential, and Access Management\n     FIPS                        Federal Information Processing Standards\n     FISMA                       Federal Information Security Management Act\n     GPEA                        Government Paperwork Elimination Act\n     GSA                         General Services Administration\n     HIPAA                       Health Insurance Portability and Accountability Act of 1996\n     HSPD                        Homeland Security Presidential Directive\n     HSR                         Homeland Security Roundtable\n     ICAM                        Identity, Credential, and Access Management\n     IG                          Inspectors General\n\x0cITD    Information Technology Division\nIT     information technology\nMC     Mission Critical\nMEF    Mission Essential Function\nNIST   National Institute of Standards and Technology\nNPE    non-person entity\nOIG    Office of Inspector General\nOMB    Office of Management and Budget\nPIV    Personal Identity Verification\nPKI    Public Key Infrastructure\nSANS   System Administration Networking and Security\nSCAP   Security Content Automation Protocol\nSCM    security configuration management\nSP     Special Publication\nSTIG   Security Technical Implementation Guides\nTIC    Trusted Internet Connection\nVPN    Virtual Private Network\n\x0cThe CIGIE was statutorily established as an independent entity within the\nexecutive branch by the Inspector General Reform Act of 2008, Public\nLaw 110-409. The mission of the CIGIE is to\xe2\x80\x94\n\n   \xe2\x80\xa2   Address integrity, economy, and effectiveness issues that transcend\n       individual government agencies; and\n\n   \xe2\x80\xa2   Increase the professionalism and effectiveness of personnel by\n       developing policies, standards, and approaches to aid in the\n       establishment of a well-trained and highly skilled workforce in the\n       federal IG community.\n\nMembership\n\n   \xe2\x80\xa2   All IGs whose offices are established under either section 2 or\n       section 8G of the Inspector General Act, or pursuant to other\n       statutory authority (e.g., the Special IGs for Iraq Reconstruction,\n       Afghanistan Reconstruction, and Troubled Asset Relief Program)\n\n   \xe2\x80\xa2   The IGs of the Office of the Director of National Intelligence (or at\n       the time of appointment, the IG of the Intelligence Community)\n       and the Central Intelligence Agency\n\n   \xe2\x80\xa2   The IGs of the Government Printing Office, the Library of\n       Congress, the Capitol Police, the Government Accountability\n       Office, and the Architect of the Capitol\n\n   \xe2\x80\xa2   The Controller of the Office of Federal Financial Management\n\n   \xe2\x80\xa2   A senior-level official of the Federal Bureau of Investigation,\n       designated by the Director of the Federal Bureau of Investigation\n\n   \xe2\x80\xa2   The Director of the Office of Government Ethics\n\n   \xe2\x80\xa2   The Special Counsel of the Office of Special Counsel\n\n   \xe2\x80\xa2   The Deputy Director of the Office of Personnel Management\n\n\n\n          Management Advisory Report on Cybersecurity\n\n                            Page 1\n\x0c   \xe2\x80\xa2   The Deputy Director for Management of the Office of\n       Management and Budget (OMB)\n\nCIGIE HSR\n\nSince September 11, 2001, protecting our Nation has been a paramount\nconcern of the entire federal establishment. The IG community plays a\nsignificant role in reviewing the performance of agency programs and\noperations that affect homeland security. To a large extent, this has been\naccomplished through collaborative efforts among multiple OIGs.\n\nOn June 7, 2005, the President\xe2\x80\x99s Council on Integrity and Efficiency Vice-\nChair established a President\xe2\x80\x99s Council on Integrity and Efficiency HSR.\nThe roundtable supports the IG community by sharing information,\nidentifying best practices, and participating on an ad hoc basis with\nvarious external organizations and government entities. The CIGIE\nCybersecurity Working Group was formed under the auspices of the HSR.\n\n\n\n\n          Management Advisory Report on Cybersecurity\n\n                            Page 2\n\x0cExecutive Summary\n        Computers, the Internet, and other electronic assets have become integral\n        to the effective functioning of the federal government, its programs, and\n        daily public life. These assets have become the targets of people with\n        malicious intent, and thus represent an area of increased risk and\n        vulnerability to the federal government. The community of Inspectors\n        General must be proactive in preventing and addressing issues relating to\n        cybersecurity, both in its oversight capacity and in its operational role. To\n        that end, the Council of the Inspectors General on Integrity and Efficiency\n        Cybersecurity Working Group was charged with identifying measures that\n        the Inspector General community can take to protect itself against cyber\n        attacks.\n\n        This report covers four areas identified as cybersecurity challenges facing\n        the Inspectors General community: (1) asset management and leveraging\n        resources; (2) identity, credential, and access management; (3) incident\n        detection and handling; and (4) scalable trustworthy systems. The topics\n        are not exhaustive of all cybersecurity issues. They were identified by the\n        Cybersecurity Working Group, using the DHS Roadmap for Cybersecurity\n        Research, as the most salient and relevant issues facing Council of the\n        Inspectors General on Integrity and Efficiency community members.\n\n        The report offers recommended practices for the Inspectors General\n        community taking into consideration the different risks or vulnerabilities\n        of each OIG based on the degree to which information technology systems\n        are dependent upon or connected to their parent agencies and whether they\n        have sufficient human and financial resources to secure their information\n        technology systems effectively. Although each element of the report will\n        not apply to each unique OIG/parent agency structure, the report provides\n        a foundation for understanding some of the most salient issues facing our\n        organizations and the solutions to these issues. Generally, the\n        cybersecurity issues faced by the Inspector General community are the\n        same as those faced government-wide; however, for each office, the\n        mission, type of information collected, and the type of work may impact\n        the relative priority of the problems and issues. A subsequent report will\n        address the Inspectors General community\xe2\x80\x99s role in federal cybersecurity\n        initiatives.\n\n\n\n\n                   Management Advisory Report on Cybersecurity\n\n                                     Page 3\n\x0cBackground\n          IT has become pervasive in every way, from our phones and other small\n          devices to our enterprise networks and the infrastructure that runs our\n          economy. As the critical infrastructures of the United States have become\n          increasingly dependent on public and private IT networks, the potential for\n          widespread national impact resulting from disruption or failure of these\n          networks has also increased. This report presents key topics and\n          recommendations that the IG community can consider and use when\n          securing existing systems and adopting new technologies.\n\n          Cybersecurity is a broad and complex area of study. A six-month review\n          cannot fully address all of the topics in the cybersecurity arena. The\n          Working Group focused its efforts on the four challenges that are most\n          salient to improving cybersecurity in the IG community: (1) asset\n          management and leveraging resources; (2) identity, credential, and access\n          management; (3) incident detection and handling; and (4) scalable\n          trustworthy systems.\n\n          As part of this effort, the Working Group surveyed the IG community to\n          gather information on current and planned initiatives to address these\n          challenges. It received responses from 41 of 79 members of CIGIE. The\n          survey results, which are compiled and summarized in appendix B of this\n          report, were used to analyze cybersecurity initiatives and trends in the IG\n          community.\n\n\nResults of Review\n          The Working Group identified four areas which, if properly understood,\n          designed, and monitored, provide the IG community and respective\n          agencies with assurance that risks associated with the areas are minimized.\n          The report is organized to reflect the logical steps taken to secure an\n          infrastructure: identifying and managing assets, controlling and\n          monitoring access to those assets, and managing detection and handling\n          incidents. Last, the Working Group analyzed how emerging technology\n          such as cloud computing can be leveraged into a trustworthy system.\n\n     Asset Management and Leveraging Resources\n          Asset management is the set of organizational practices that identify and\n          control all elements of hardware and software in an organization. It is the\n          first step toward managing network weaknesses, device vulnerabilities,\n          and configuration challenges. Computer systems and the information they\n          store are critical assets that support an organization\xe2\x80\x99s mission. Protecting\n\n                    Management Advisory Report on Cybersecurity\n\n                                      Page 4\n\x0ccritical assets from cyber threats is an essential management function, and\ntherefore, an understanding of asset management and its processes is\nfundamental to the IG community organizations.\n\nAsset management refers to the tracking of all tools, their accessories, and\nwhat each tool needs in order to perform as intended. Hardware asset\nmanagement is the management of physical components, while software\nasset management focuses on software assets, which include installation\ntracking for licensing, versioning, and upgrades. Asset management may\nbe compared to the organization of a tool-shed. Tools are typically owned\nfor use as needed; asset management best practices can help to find tools\nthat cannot be located immediately. To do so, users need a list that\nincludes each tool, its location, performance requirements, most recent\nmaintenance by date and type, and when the next maintenance should be\nperformed. Resources and time need to be devoted to keeping all this\ninformation updated.\n\nMany processes outside of the cybersecurity function play important roles\nin cybersecurity asset management. For example, before you can check a\ncomputer for necessary security patches, you need to know if the computer\nexists, its location, and what operating system is installed on it. There also\nneeds to be a defined organizational process for prioritizing, testing, and\ninstalling software patches.\n\nFrom a security perspective, strong asset management can help network\nadministrators identify and manage network weaknesses and device\nvulnerabilities. Unauthorized and undocumented network-attached\ndevices can leave an organization vulnerable to cyber threats, and\nunmitigated software vulnerabilities may also leave an organization\xe2\x80\x99s\nnetworks susceptible to cyber attacks. Proper asset management can also\nassist with identifying lost equipment and illicit configuration changes\nwhen providing incident response support. Finally, cybersecurity asset\nmanagement is necessary to meet federal guidelines and directives such as\nOMB Memorandum 10-15, which requires agencies to upload IT\ninventory information, and OMB Circular A-130, which establishes policy\nfor the management of federal information resources government-wide.\n\nSeveral asset management best practices have security implications\xe2\x80\x94\n   \xe2\x80\xa2   Request and approval process,\n   \xe2\x80\xa2   Procurement management,\n   \xe2\x80\xa2   Configuration management (CM),\n   \xe2\x80\xa2   Vulnerability management, and\n   \xe2\x80\xa2   Disposal management.\n\n\n           Management Advisory Report on Cybersecurity\n\n                             Page 5\n\x0c                  Below is an overview of each asset management best practice.\n\n                  Request and Approval Process\n\n                  The request and approval process is a structured and predetermined series\n                  of events that allows for streamlined acquisitions using a standard\n                  procedure. In the past, when an IT asset was requested, management\n                  would either agree or disagree. Current federal regulations require that\n                  work, including security planning, be performed before IT purchases are\n                  made, and an approval review is typically performed before assets are\n                  purchased.\n\n                  A standardized request and approval process review ensures that the\n                  purchase is necessary, is a good investment, and fits with the current\n                  security configuration. The review also ensures that any potential new\n                  security risks are reviewed and accepted. This review and approval\n                  process should include board members from an organization\xe2\x80\x99s financial,\n                  functional, IT, and security areas.\n\n                  Procurement Management\n\n                  Procurement management defines the processes used to determine which\n                  assets best meet the organization\xe2\x80\x99s needs. For organization-wide\n                  purchases, procurement decisions should be made by a team representing\n                  different functional areas of the organization. Soliciting input from people\n                  with different organizational and functional expertise helps ensure\n                  effective procurement decisions.\n\n                  This procurement team might include an executive officer, IT asset\n                  manager, IT manager, IT technical specialist, functional manager,\n                  functional end-user, helpdesk manager, procurement attorney, and security\n                  specialist. The team\xe2\x80\x99s first meeting should review the inventory of assets\n                  to provide information on what is currently in use and what is working\n                  well, and to report any recurring asset problems. The team builds a\n                  business case for each prospective asset purchase, making a value\n                  proposition to support the acquisition decision. This team should establish\n                  guidelines for standard asset acquisitions and can consider requests for\n                  nonstandard assets. This team should be familiar with current\n                  procurement regulations as well as security implications. 1\n\n\n\n\n1\n See 48 C.F.R. pts. 1-99 - Federal Acquisition Regulation. Among other things, parts 39 and 52 provide\ncontract language directing a contractor\xe2\x80\x99s computer security responsibilities (see, e.g., 48 C.F.R. \xc2\xa7\xc2\xa739.105,\n39.107, and 52.239-1).\n\n                               Management Advisory Report on Cybersecurity\n\n                                                   Page 6\n\x0cConfiguration Management\n\nCM can be defined as establishing and controlling changes made to\nhardware and software throughout the life cycle of an information system.\nCM for security, referred to as security configuration management (SCM),\nmanages and controls security configuration items for an information\nsystem. The goal of SCM is to enable security configuration items to\nreduce risk.\n\nSeveral different entities publish security baselines for various IT\nproducts, including the U.S. Government Configuration Baseline, Defense\nInformation Systems Agency, National Security Agency, and the Center\nfor Internet Security (CIS). These security baselines provide configuration\nsettings to \xe2\x80\x9clock down\xe2\x80\x9d information systems and software that might\notherwise be vulnerable to attack.\n\nThe National Institute of Standards and Technology (NIST) provides\nguidance to implement SCM in organizations. NIST Special Publication\n(SP) 800-53, Revision 3, has a family of CM security controls (CM-1\nthrough CM-9). NIST SP 800-128, Guide for Security-Focused\nConfiguration Management of Information Systems, and SP 800-53A,\nRevision 1, Guide for Assessing the Security Controls in Federal\nInformation Systems and Organizations, Building Effective Security\nAssessment Plans, provide guidance on implementing SCM controls.\nSpecifically, NIST SP 800-128 identifies the major phases of SCM and\ndescribes the process of applying SCM practices for information systems,\nincluding (1) planning SCM activities for the organization, (2) identifying\nand implementing SCM, (3) controlling and maintaining the configuration\nof the information system in a secure state, and (4) monitoring the\nconfiguration of the information system to ensure that the configuration is\nnot inadvertently altered from its approved state.\n\nThe NIST SP 800-53, CM-6 security control requires that agencies\nestablish and document configuration settings for IT products. The\nDefense Information Systems Agency, a component of the Department of\nDefense (DOD), has defined baselines called Security Technical\nImplementation Guides (STIGs) to lock down information systems and\nsoftware that might otherwise be vulnerable to attack. The STIG website\ncontains links to numerous security baselines for operating systems,\napplications, and telecommunication equipment. STIGs can assist\nagencies in producing security baselines for the products they use.\n\n\n\n\n          Management Advisory Report on Cybersecurity\n\n                            Page 7\n\x0cVulnerability Management\n\nVulnerability management is the practice of identifying, classifying,\nremediating, and mitigating vulnerabilities. This practice generally refers\nto software vulnerabilities in computing systems. However, as with CM,\ndefinitions vary in the IT industry, and the lines between CM and\nvulnerability management tend to blur. Managing a baseline of security\nconfiguration items can assist with protecting against vulnerabilities.\nMitigating existing vulnerabilities enhances an organization\xe2\x80\x99s security\nconfiguration baseline.\n\nVulnerability management is achieved by performing vulnerability\nassessments. Assessments are typically performed according to the\nfollowing steps\xe2\x80\x94\n   1. Cataloging assets and capabilities (resources) in a system,\n   2. Assigning quantifiable value (or at least rank order) and\n      importance to those resources,\n   3. Identifying the vulnerabilities or potential threats to each resource,\n      and\n   4. Mitigating or eliminating the most serious vulnerabilities for the\n      most valuable resources.\n\nNIST SP 800-53 also has a risk assessment family of security controls.\nThese controls require that organizations identify and report\nvulnerabilities. Vulnerabilities need to be analyzed and their potential\nimpact measured. Vulnerabilities should be remediated, mitigated through\ncompensating controls, or documented with the potential risk to the\norganization accepted.\n\nDisposal Management\n\nAs part of the asset disposal process, organizations need controls to assess\nand, when appropriate, sanitize sensitive information on assets approved\nfor disposal. For example, computer printers, copy machines, and fax\nmachines may contain sensitive residual information which, if released,\ncould have an adverse effect on the organization or individuals whose\npersonal information is stored on agency assets.\n\nDisposal management also includes transitioning old systems to new ones.\nThe replacement process must be planned carefully to prevent vital\nbusiness data from being lost or compromised. If the asset being retired is\n\n\n\n\n          Management Advisory Report on Cybersecurity\n\n                            Page 8\n\x0c                  business data, National Archives and Records Administration regulations\n                  may apply. 2\n\n                  NIST provides several recommendations and guidelines concerning the\n                  secure disposal of IT media and equipment. The NIST SP 800-53,\n                  Software Integrity family of security controls instructs organizations to\n                  handle and retain both information within and output from information\n                  systems in accordance with applicable federal laws, executive orders,\n                  directives, policies, regulations, standards, and operation requirements.\n\n                  The NIST SP 800-53, Media Protection family of security controls\n                  discusses sanitation requirements of digital and nondigital information\n                  system media prior to disposal. NIST SP 800-88, Guidelines for Media\n                  Sanitation, includes a list of common media types and recommends\n                  destruction procedures.\n\n                  Leveraging Resources\n\n                  Managing assets can be complex and time-consuming. Therefore, using\n                  specialized software to automate the process can be beneficial for\n                  (1) assessing and managing organization-wide inventories of hardware and\n                  software, (2) ensuring compliance with software licenses and other\n                  regulatory requirements, and (3) adding value to the disposal process.\n\n                  Specifically, automated discovery of hardware and software identifies\n                  what systems are connected to the organization\xe2\x80\x99s network and where they\n                  are located. Moreover, an automated software inventory provides an\n                  accurate audit of all software applications installed on client computers\n                  across the network. An asset management solution can audit this\n                  information quickly and then help an organization separate primary\n                  applications from operating system and shareware software. It can\n                  identify installations of products for license compliance. It can also\n                  identify products no longer in use as well as redundant software, which\n                  can result in significant cost savings in licensing and maintenance.\n\n                  Furthermore, an automated software inventory tells an agency how\n                  equipment is configured and when changes are made. It can also look for\n                  software downloaded from the Internet, which can threaten the security\n                  and integrity of the network. Identifying such software is increasingly\n                  important as the number of Trojan viruses increases. Automated\n                  vulnerability programs can detect and report on configuration issues,\n                  software weaknesses, and missing security patches, all of which can be\n                  exploited to gain access to secure networks and computers. Finally, when\n\n2\n  See, e.g., 36 C.F.R. part 1236 for regulations detailing records management requirements for electronic\ninformation.\n\n                              Management Advisory Report on Cybersecurity\n\n                                                  Page 9\n\x0chardware and software is retired, the inventory can verify that all affected\nassets have been removed from the network.\n\nAccording to the OMB Fiscal Year 2010 Report to Congress on the\nImplementation of The Federal Information Security Management Act\n(FISMA) of 2002, the ideal goal of IT asset management capability is to\nhave 100% of agency assets under an automated asset management system\nthat captures data about each asset and can provide that data within a short\nperiod of time. Many solutions exist. NIST maintains a list of Security\nContent Automation Protocol (SCAP) validated products at\nhttp://nvd.nist.gov/scapproducts.cfm.\n\nUltimately, responsibility for asset management in an organization lies\nwith its senior management. It is up to senior management to promote the\norganization\xe2\x80\x99s computer security program and ensure that the proper\nresources are available.\n\nRecommendations\nWe recommend that OIGs consider implementing the following practices,\nwhen applicable:\n\nRecommendation #1: As a cost efficiency measure, create baseline\nsoftware assets to support working capital fund requirements and leverage\nmanaged and shared services when available.\n\nRecommendation #2: Consider creating an IT purchasing team of\nselected individuals from various areas of the organization to ensure that\npurchases best meet the organization\xe2\x80\x99s needs and security requirements.\n\n\n\n\n           Management Advisory Report on Cybersecurity\n\n                             Page 10\n\x0c         Identity, Credential, and Access Management\n                  The Federal Identity, Credential, and Access Management (ICAM)\n                  Initiative 3 efforts, including those of the IG community, are a key enabler\n                  for addressing the Nation\xe2\x80\x99s cybersecurity challenges. In recent years,\n                  increasing emphasis has also been placed on improving the physical\n                  security of the hundreds of thousands of facilities that the federal\n                  government owns and leases. In addition to complex physical and logical\n                  cybersecurity threats, the federal government faces significant challenges\n                  in carrying out its IT capabilities to enable a level of assurance and\n                  electronic service delivery (see figure 1).\n\n\n\n\n                  Figure 1: Federal Identity, Credential, and Access Management Roadmap and\n                  Implementation Guidance, Version 1.0, November 20, 2009. Figure copyrighted \xc2\xa9 2011,\n                  Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu\n                  Limited.\n\n                  These challenges lie in the ability to verify the identity of an individual or\n                  non-person entity (NPE) in the digital realm and to establish trust in the\n                  use of that identity in conducting business. 4 As a result, strong and\n                  reliable ICAM capabilities across the entire federal government are a\n\n3\n  IDManagement.gov is a one-stop shop for citizens, businesses, and government entities interested in\nidentity management activities, including topics related to Homeland Security Presidential Directive 12\n(HSPD-12); Federal Public Key Infrastructure; Identity, Credential, and Access Management; and\nAcquisitions.\n4\n  NPE is an entity with a digital identity that acts in cyberspace, but is not a human actor. This can include\norganizations, hardware devices, software applications, and information artifacts.\n\n                               Management Advisory Report on Cybersecurity\n\n                                                   Page 11\n\x0c                  critical factor in the success of all mission work. A common,\n                  standardized, trusted basis for digital identity and access management is\n                  needed to provide a consistent approach to deploying and managing\n                  appropriate identity assurance, credentialing, and access control services.\n                  The approach must also promulgate implementation guidance and best\n                  practices, build consensus through government-wide collaboration, and\n                  modernize business processes to reduce agency costs for administering\n                  and duplicating identity management. Appendix A presents a sample of\n                  general laws, regulations, and policies that affect and, in many cases, have\n                  initiated today\xe2\x80\x99s ICAM programs.\n\n                  An ICAM plan integrates programs, processes, technologies, and\n                  personnel used to create trusted digital identity representations of\n                  individuals and NPEs and binds those identities to credentials that may\n                  serve as a proxy in access transactions. Those credentials are then used to\n                  provide authorized access to an agency\xe2\x80\x99s resources.\n\n                  Governance\n\n                  The Federal ICAM Initiative is governed by the Federal Chief Information\n                  Officers (CIOs) Council, Identity Credential and Access Management\n                  Subcommittee, with program support by the General Services\n                  Administration (GSA) Office of Government-wide Policy and direct\n                  oversight from the OMB. The Identity Credential and Access\n                  Management Subcommittee is a subcommittee of the Information Security\n                  and Identity Management Committee, which was chartered in December\n                  2008 as the principal interagency forum for identifying high-priority\n                  security and identity management initiatives, developing\n                  recommendations for policies, procedures, and standards to address\n                  initiatives, and enhancing the security of federal government networks,\n                  information, and information systems. Today, the federal government is\n                  strongly interested in unifying these areas and other identity management\n                  initiatives to create a comprehensive and integrated approach to ICAM.\n\n                  Identity Management\n\n                  The National Science and Technology Council Subcommittee on\n                  Biometrics and Identity Management defines identity management as the\n                  combination of technical systems, rules, and procedures that define the\n                  ownership, utilization, and safeguarding of personal identity information. 5\n                  The primary goal of identity management is to establish a trustworthy\n                  process for assigning attributes to a digital identity and to connect that\n                  identity to an individual. Identity management includes the processes for\n                  maintaining and protecting the identity data of an individual over its life\n\n5\n    http://www.biometrics.gov/Documents/IdMReport_22SEP08_Final.pdf\n\n                             Management Advisory Report on Cybersecurity\n\n                                               Page 12\n\x0ccycle. Many of the processes and technologies used to manage a person\xe2\x80\x99s\nidentity may also be applied to NPEs.\n\nToday, many system application owners and program managers create a\ndigital representation of an identity by establishing and setting access\nprivileges to enable application-specific processes. As a result,\nmaintenance and protection of the identity is treated as secondary to the\nmission associated with the application. Unlike accounts used to log on to\nnetworks, systems, or applications, enterprise identity records are not tied\nto job title, job duties, location, or whether access is needed to a specific\nsystem. Those things may become attributes tied to an enterprise identity\nrecord, and may also become part of what uniquely identifies an individual\nin a specific application. Access control decisions will be based on the\ncontext and relevant attributes of a user, not solely the user\xe2\x80\x99s identity. The\nconcept of an enterprise identity is that individuals will have a digital\nrepresentation of themselves that can be leveraged across departments and\nagencies for multiple purposes, including access control.\n\nA digital identity typically comprises a set of attributes that, when\naggregated, uniquely identify a user within a system or enterprise. To\nestablish trust in the individual represented by a digital identity, an agency\nmay also conduct a background investigation. Attributes about an\nindividual may be stored in various authoritative sources within an agency\nand linked to form an enterprise view of the digital identity. This digital\nidentity may then be granted physical and logical access to applications\nand removed when access is no longer required.\n\nWith the establishment of an enterprise identity, it is important that\npolicies and processes be developed to manage the life cycle of each\nidentity. Management of an identity includes\xe2\x80\x94\n   \xe2\x80\xa2   The framework and scheme for establishing a unique digital\n       identity,\n   \xe2\x80\xa2   The ways identity data will be used,\n   \xe2\x80\xa2   The protection of personally identifiable information,\n   \xe2\x80\xa2   Controlling access to identity data,\n   \xe2\x80\xa2   The policies and processes for management of identity data,\n   \xe2\x80\xa2   Developing a process for remediation (i.e., solving issues or\n       defects),\n   \xe2\x80\xa2   Sharing authoritative identity data with applications that leverage\n       it, and\n   \xe2\x80\xa2   Revoking an enterprise identity.\nAs part of the framework for establishing a digital identity, diligence\nshould be employed to limit data stored in each system to a set of\n\n           Management Advisory Report on Cybersecurity\n\n                             Page 13\n\x0c                  attributes required to define the unique digital identity and still meet the\n                  requirements of integrated systems. A balance is needed between\n                  information stored or made available to internal and external systems, and\n                  the privacy of individuals.\n\n                  Credential Management\n\n                  According to NIST SP 800-63, a credential is an object that authoritatively\n                  binds an identity (and optionally, additional attributes) to a token\n                  possessed and controlled by a person. 6 Credential management supports\n                  the life cycle of the credential itself. In the federal government, examples\n                  of credentials include smart cards, private/public cryptographic keys, and\n                  digital certificates. The policies around credential management, from\n                  identity proofing to issuance to revocation, are fairly mature compared to\n                  the other parts of ICAM. Personal Identity Verification (PIV) standards\n                  are found in Federal Information Processing Standards (FIPS) Publication\n                  201-1 and NIST SP 800-73-3 (hyperlinks found in appendix A). Federal\n                  Public Key Infrastructure (PKI) Common Policy and DOD Common\n                  Access Cards are examples of documents that are important for agency-\n                  specific credential implementations. Today, approximately 5 million PIV\n                  cards have been issued to federal employees and contractors (see figure 2).\n\n\n                                   Current Status - HSPD-12\n                               Credentials Issued as of June 1, 2011\n\n\n                    Credentials Issued to         Credentials Issued            Total Credentials\n                    Federal and Military              to Federal                  Issued to All\n                        Employees                    Contractors                 Employees and\n                                                                                  Contractors\n                       4,151,358 (88%)               842,946 (81%)\n                                                                                 4,994,304 (87%)\n\n\n\n\n                  Figure 2: PIV cards data compiled from IDManagement.gov. Agency-specific status\n                  may be located at http://www.whitehouse.gov/omb/e-gov/hspd12_reports/. The\n                  percentages represent the percentage of each category obtaining credentials.\n\n\n\n6\n  The credentialing process principles and elements can also be applied for NPE digital identities; however,\nsteps may vary during the credential issuance process (e.g., sponsorship, adjudication) based on an\norganization\xe2\x80\x99s security requirements.\n\n                               Management Advisory Report on Cybersecurity\n\n                                                  Page 14\n\x0cCredentialing consists of an authorized employee sponsoring an individual\nor entity and justifying the need for the credential. Next, the individual\nenrolls for the credential, a process that typically consists of identity\nproofing and the capture of biographic and biometric data. The types of\ndata required may depend on the credential type and the usage scenario.\nThis step may be automatically completed based on data collected and\nmaintained through identity management processes and systems, since\nenrollment for a credential requires much of the same data collection that\nis required as part of identity management. Subsequently, a credential will\nbe produced and issued to the individual or NPE. As in the case of\nenrollment, these processes will vary based upon the credential type in\nquestion. Identity proofing, production, and issuance requirements for\nother credential types typically include a subset of the processes or\ntechnologies but follow the same general principles. Finally, a credential\nmust be maintained over its life cycle, which might include revocation,\nreissuance/replacement, reenrollment, expiration, personal identification\nnumber reset, suspension, or reinstatement.\n\nA key distinction in the life cycle management of credentials versus\nidentities is that credentials expire. The attributes that form one\xe2\x80\x99s digital\nidentity may change over time, but one\xe2\x80\x99s identity does not become invalid\nor terminated from a system perspective. Credentials, however, are\nusually valid for a predefined period, typically for five years. An example\nis certificates issued to an individual that expire based on the issuer\xe2\x80\x99s PKI\nCommon Policy. While the identity of an individual does not change, the\ncertificates associated with that individual can be revoked and new ones\nissued. This does not have a bearing on the individual\xe2\x80\x99s identity, as\ncredentials are a tool that provides varying levels of assurance about the\nauthentication of an individual.\n\nAnother key aspect of credential management is the security and\nprotection of credentials, from issuance to termination. The trust in a\ncredential depends on a multilayered approach to security that protects the\ncredential as well as who can use the credential from attack. ICAM hinges\non the level of trust in a credential and the uniformity of security and\nintegrity across the security architecture in order to retain that trust\nthroughout the use of the credential.\n\nWhen the Working Group surveyed the IG community regarding the use\nof PIV card capabilities, the responses demonstrate OIGs are (1) currently\nusing the PIV card for physical and/or logical access, (2) planning to use\nthe PIV card for physical and/or logical access, (3) awaiting their parent\nagencies\xe2\x80\x99 direction on PIV use, and (4) currently have no plans to\nimplement PIV card technology (see figure 3).\n\n\n\n           Management Advisory Report on Cybersecurity\n\n                             Page 15\n\x0c                      PIV Card Technology\n     No Current\n       Plans\n        (7%)                      No Data\n                                   Given\n                                   (22%)\n\n\n\n             Dependent\n             on Agency\n                                              Currently\n             Direction\n                                               Using\n               (17%)\n                                               (34%)\n\n\n                         Planned Use\n                            (20%)\n\n\n\n\nFigure 3: Results from the Cybersecurity Working Group survey. See appendix B for a\nsummary of survey results.\n\nAccess Management\n\nAccess management is the management and control of the ways in which\nentities are granted access to resources. The purpose of access\nmanagement is to ensure that the proper identity verification is made when\nan individual attempts to access security-sensitive buildings, computer\nsystems, or data. It has two areas of operations: logical and physical\naccess. Logical access is the access to an IT network, system, service, or\napplication. Physical access is the access to a physical location such as a\nbuilding, parking lot, garage, or office. Access management leverages\nidentities, credentials, and privileges to determine access to resources by\nauthenticating credentials. After authentication, a decision as to whether a\nperson is authorized to access the resource can be made. These processes\nallow agencies to obtain a level of assurance in the identity of the\nindividual by\xe2\x80\x94\n\n    \xe2\x80\xa2   Ensuring that all individuals attempting access are properly\n        validated (authentication),\n    \xe2\x80\xa2   Ensuring that all access to information is authorized\n        (confidentiality),\n    \xe2\x80\xa2   Protecting information from unauthorized creation, modification,\n        or deletion (integrity),\n\n           Management Advisory Report on Cybersecurity\n\n                              Page 16\n\x0c   \xe2\x80\xa2   Ensuring that authorized parties are able to access needed\n       information (reliability, maintainability, and availability), and\n   \xe2\x80\xa2   Ensuring the accountability of parties when gaining access and\n       performing actions (nonrepudiation).\n\nIn addition, access control sets the stage for activities outside of the\ntraditional access control paradigm. One corollary to access management\nis the ability to ensure that all individuals attempting access have a\ngenuine need. This is tied to authentication and authorization, but also to\nthe business rules surrounding the data themselves. Privacy is provided by\nensuring confidentiality and by refraining from collecting more\ninformation than necessary.\n\nA key aspect of access management is the ability to leverage an enterprise\nidentity for entitlements, privileges, multifactor authentication, roles,\nattributes, and different levels of trust. Logical and physical access are\noften viewed as the most significant parts of ICAM from a return-on-\ninvestment perspective. To maximize that return, a successful access\nmanagement solution is dependent on identity, credentials, and attributes\nfor making informed access control decisions, preferably through\nautomated mechanisms. Without an access management solution, the\nvision and value of an identity access management initiative are\ndiminished.\n\nRecommendations\nThe Federal CIO Council, Information Security and Identity Management\nCommittee, highlights some high-level considerations in its Federal\nIdentity, Credential, and Access Management Roadmap and\nImplementation Guidance, Version 1.0. We recommend that OIGs\nconsider the following guidance and practices, when applicable:\n\nRecommendation #3: Refer to IDManagement.gov, a one-stop shop for\ncitizens, businesses, and government entities interested in identity\nmanagement activities, including topics related to HSPD-12; Federal PKI;\nidentity, credential, and access management; and acquisitions.\n\nRecommendation #4: Identify an application to employ two-factor\nidentification to protect information based on NIST SP 800-63 guidance.\n\nRecommendation #5: Evaluate personnel processes for hiring and\nseparating employees.\n\n\n\n\n          Management Advisory Report on Cybersecurity\n\n                            Page 17\n\x0c        Incident Detection and Handling\n                 The IG community needs effective computer incident prevention,\n                 detection, and handling capabilities. Understanding that not all IT\n                 incidents can be prevented is critical to understanding the threats that face\n                 our networks today. An incident detection, reporting, and response\n                 capability is therefore necessary for effective network security.\n\n                 Reports of security incidents from federal agencies are on the rise,\n                 increasing by more than 650% over the past 5 years. 7 The growing threats\n                 and increasing number of reported incidents highlight the need for a robust\n                 system of countermeasures to prevent incidents from occurring and to\n                 quickly detect and respond to incidents that cannot be prevented.\n                 However, serious and widespread information security control deficiencies\n                 continue to place federal assets at risk of misuse, sensitive information at\n                 risk of inappropriate disclosure, and critical operations at risk of\n                 disruption. Therefore, it is imperative that federal agencies implement an\n                 incident prevention, detection, and response program to ensure business\n                 continuity. Incident prevention includes, but is not limited to, boundary\n                 defenses, asset inventories, configuration management, user account\n                 management, and automated monitoring to provide real-time security\n                 status reporting. Incident detection and response covers automated\n                 detection, analysis, containment, eradication, and recovery.\n\n                 IT security incidents, whether deliberate or unintentional, threaten the\n                 confidentiality, integrity, or availability of information and information\n                 resources. When an information security-related incident is suspected or\n                 discovered, personnel must immediately take steps to protect the\n                 information resource(s) at risk. Agencies must develop an incident\n                 response capability that enables coordinated efforts of a defined incident\n                 response team to respond to incidents. When an incident has been\n                 identified, the incident response team must have the knowledge and skills\n                 to follow standard procedures.\n\n\n\n\n7\n Cyber Security: Continued Attention Needed to Protect Our Nation\xe2\x80\x99s Critical Infrastructure and Federal\nInformation Systems (GAO-11-463T), March 16, 2011.\n\n                             Management Advisory Report on Cybersecurity\n\n                                                Page 18\n\x0c                 Incident Notification, Reporting, and Immediate Responses: A\n                 Government \xe2\x80\x9cStandard\xe2\x80\x9d\n\n                 Many branches of the U.S. government, including the DOD, DHS, and the\n                 Intelligence Community, have drafted guidelines they believe should be\n                 used for effective network security. All the publications currently\n                 available from these entities are invaluable resources for designing and\n                 establishing network security plans and incident related procedures.\n                 Among agencies, there are still many differences in what the \xe2\x80\x9cstandard\xe2\x80\x9d is\n                 for responding to incidents and how business should be conducted.\n\n                 NIST has been developing a generalized standard for computer security\n                 incident handling that is applicable to any agency\xe2\x80\x99s architecture or\n                 network environment: NIST SP 800-61, Revision 1, Computer Security\n                 Incident Handling Guide.\n\n                 NIST SP 800-61 provides guidelines for IT incident handling, particularly\n                 for analyzing incident-related data and determining the appropriate\n                 response to each incident. Because effective incident response is a\n                 complex undertaking, establishing a successful incident response\n                 capability requires substantial planning and resources. Continually\n                 monitoring threats through intrusion detection systems, full-time network\n                 packet capture, and other mechanisms is essential. 8\n\n                 As NIST SP 800-61 evolves into a potential Government Standard for\n                 incident response, it will need to keep up with the threats and trends. It is\n                 an effective starting point for the establishment of network incident\n                 response guidelines when combined with creating partnerships with\n                 agencies that have well-established programs in order to learn from their\n                 mistakes and grow from their innovation.\n\n                 Establishing clear procedures for assessing the current and potential\n                 business impact of incidents is critical, as is implementing effective\n                 methods of collecting, analyzing, and reporting data. Each agency will\n                 need to understand the specific threats it faces, its critical assets and data,\n                 and to develop the appropriate tools for handling incidents. In the past,\n                 protection of agency data and network security was focused on quick\n                 remediation and reliance on antivirus and firewall technology. In the\n                 current cyber landscape, it can be impossible to get ahead of the threat,\n                 and active network investigations, network traffic control, and monitoring\n                 are often the only defense.\n\n\n8\n  Packet capture uses a computer program or a piece of computer hardware that can intercept and log traffic\npassing over a digital network or part of a network. As data streams flow across the network, the sniffer\ncaptures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in\nthe packet, and analyzes its content.\n\n                              Management Advisory Report on Cybersecurity\n\n                                                  Page 19\n\x0c                 Incident Prevention\n\n                 Securing Network Boundaries: The First Line of Defense Against\n                 Incidents\n\n                 Most federal agencies have Internet-accessible computers on their\n                 networks in order to communicate with external business parties and with\n                 the public. These computers are prime targets for exploitation and thus\n                 are highly sought after by hackers. For example, organized crime groups\n                 and nation-states continuously scan the Internet for publicly accessible\n                 computers on federal agency networks. After finding and then exploiting\n                 a vulnerability on a publicly accessible computer, the cybercriminals use\n                 the exploited computer as a means to penetrate deeper into the agency\xe2\x80\x99s\n                 network to steal sensitive data or disrupt operations.\n\n                 Thus, to prevent incidents resulting from unauthorized access, agencies\n                 need a system of defenses to both control the flow of traffic through their\n                 network borders and inspect its content. These boundary defenses must be\n                 multilayered\xe2\x80\x94relying on, for example, firewalls, proxy servers, and\n                 network-based intrusion detection systems 9 10\xe2\x80\x94to prevent or immediately\n                 detect intrusions into the agency\xe2\x80\x99s computer networks.\n\n                 Configuration Management: Ensuring That Network Devices Are\n                 Securely Configured\n\n                 CM is the process of establishing and controlling changes made to\n                 hardware and software throughout the life cycle of an information system.\n                 Often, computer operating systems are configured by the vendor for ease\n                 of deployment and ease of use rather than for security, leaving them\n                 exploitable in their default state. Hackers are aware of this industry\n                 practice and use automated attack programs to continuously scan federal\n                 agency networks for systems with vendor-configured (vulnerable)\n                 operating systems, which they can immediately exploit.\n\n                 To reduce the number of incidents that result from exploiting this\n                 condition, the CIS has published recommended configuration settings,\n                 called benchmarks, for securing a wide variety of computer operating\n                 systems and other devices such as firewalls and routers. 11 A growing\n9\n  A firewall is a set of IT resources that separate and protect computer systems and data on an\norganization\xe2\x80\x99s internal networks from unauthorized access from an external network, such as the Internet.\n10\n   A proxy server is a computer system that acts as an intermediary for requests from local computers\nseeking resources or services from untrusted sources, such as from computers on the Internet. Key security\nfeatures provided by proxy servers include filtering for malicious content and denying access to websites\nthat are known sources of malware.\n11\n   According to CIS, its benchmarks are consensus-based, best practice security configuration guides both\ndeveloped and accepted by government, business, industry, and academia. (See www.cisecurity.org for\nmore information.) However, reference to CIS, a private organization, is made for informational purposes\n\n                              Management Advisory Report on Cybersecurity\n\n                                                 Page 20\n\x0c                  number of federal agencies, including the National Aeronautics and Space\n                  Administration, have adopted the benchmarks as best practices for the\n                  secure configuration of computer operating systems and other network-\n                  attached devices.\n\n                  In addition to CIS benchmarks, NIST through its National Checklist\n                  Program has defined a repository of vendor-developed checklists\n                  (benchmarks) for the secure configuration of computer operating systems\n                  and other network-attached devices. Moreover, the program has\n                  addressed the need for automating IT security processes through the SCAP\n                  to enable security tools to automatically check configuration by using the\n                  checklists.\n\n                  Controlling Data Access Through Effective User Account Management\n\n                  Sensitive data occur widely throughout federal computer systems and\n                  networks and include personally identifiable information, information\n                  controlled by International Traffic in Arms Regulations, and Export\n                  Administration Regulations, as well as third-party intellectual property.\n                  Accordingly, agencies must implement effective safeguards to prevent the\n                  loss or theft of these sensitive data.\n\n                  For example, without proper safeguards such as restricting administrator\n                  or super-user account privileges and ensuring that only authorized\n                  personnel have system access, sensitive information, including law\n                  enforcement reports and personally identifiable information, could be\n                  disclosed for purposes of espionage, identity theft, or other types of\n                  criminal activity. 12 According to the System Administration Networking\n                  and Security (SANS) Institute, 13 a widely recognized authoritative source\n                  for best practices in IT security, the misuse of administrator privileges is\n                  the method most widely used by attackers to steal sensitive data from\n                  federal agencies. This problem is exacerbated when many users\n                  unnecessarily have administrative privileges. In such an environment,\n                  each account becomes a potential target for an attacker. Once an\n                  administrator account is compromised, the attacker has full access to the\n                  victim\xe2\x80\x99s machine, or to many machines when the attack involves accounts\n                  with domain administration privileges.\n\n\nonly and does not constitute an endorsement by CIGIE or any federal agency. Moreover, it does not imply\nthat its recommendations are necessarily the most appropriate or best available.\n12\n   The super-user, unlike normal user accounts, can operate without limits, and misuse of the super-user\naccount may result in spectacular disasters. User accounts are unable to destroy the system by mistake, so it\nis generally best to use normal user accounts whenever possible, unless you especially need the extra\nprivilege.\n13\n   Reference to the SANS Institute, a private organization, is made for informational purposes only and\ndoes not constitute an endorsement by CIGIE or any federal agency. Moreover, it does not imply that its\nrecommendations are necessarily the most appropriate or best available.\n\n                               Management Advisory Report on Cybersecurity\n\n                                                  Page 21\n\x0c                 A second common way attackers gain unauthorized system access is by\n                 exploiting legitimate but inactive user accounts. This can occur when\n                 employees separate from an agency but their user accounts remain active.\n                 To prevent security incidents related to ineffective account management, it\n                 is necessary to (1) limit employee access to system rights and permissions\n                 employees need to perform their official duties, and (2) immediately\n                 deactivate all user accounts when employees separate from an agency.\n\n                 Knowing What Is on the Network: The Need for Inventories of\n                 Networked Devices\n\n                 An accurate and up-to-date inventory of an agency\xe2\x80\x99s network-attached\n                 devices, controlled by active monitoring and configuration management,\n                 can reduce the chance of attackers finding unauthorized and unprotected\n                 systems to exploit. For example, one common attack exploits the\n                 condition when new hardware is installed on a network one evening and\n                 not configured and patched with appropriate security updates until the\n                 following day. Attackers from anywhere in the world may quickly find\n                 and exploit such systems that are Internet-accessible. Furthermore, even\n                 in internal network systems, attackers who have already gained access\n                 may hunt for and compromise additional improperly secured systems.\n                 Some attackers use the local nighttime window to install backdoors on\n                 systems before they are hardened. 14\n\n                 Attackers also frequently look for experimental or test systems that are\n                 intermittently connected to the network but not included in an\n                 organization\xe2\x80\x99s standard asset inventory. Such experimental systems tend\n                 not to have as thorough security hardening or defensive measures as other\n                 systems on the network. Although these test systems do not typically hold\n                 sensitive data, they offer an attacker an avenue into the organization and a\n                 launching point for deeper network penetration.\n\n                 According to the respondents to the Working Group\xe2\x80\x99s survey, the majority\n                 of the IG community maintains a complete and accurate list of hardware\n                 and software applications supporting IG community programs and\n                 operations (see figure 4).\n\n\n\n\n14\n  A backdoor in a computer system is a method of bypassing normal authentication, securing remote\naccess to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The\nbackdoor may take the form of an installed program.\n\n                              Management Advisory Report on Cybersecurity\n\n                                                  Page 22\n\x0c                                    IT Asset Inventory Maintained\n\n\n\n                                      No Data\n                                    Given (10%)\n\n                                                                Yes (75%)\n                                     No (15%)\n\n\n\n\n                 Figure 4: Results from the Cybersecurity Working Group survey.\n\n                 Automating the Continuous Monitoring Program\n\n                 Ensuring that federal information systems are adequately protected against\n                 ever-increasing threats requires mechanisms to establish and then\n                 continuously monitor (audit) key security controls. The goal of\n                 continuous monitoring is to determine whether a system\xe2\x80\x99s key IT security\n                 controls continue to be effective over time in light of changes to hardware\n                 or software. A well-designed and well-managed continuous monitoring\n                 program can transform an otherwise static security control assessment and\n                 risk determination process into a dynamic process that provides essential\n                 information about a system\xe2\x80\x99s security status on a real-time basis. This, in\n                 turn, enables officials to take timely risk mitigation actions and make risk-\n                 based decisions regarding the operation of the information system.\n\n                 Automating the control monitoring process is essential because of the size,\n                 complexity, volatility, and interconnected nature of federal information\n                 systems. The SANS Institute has identified 20 critical IT security controls\n                 organizations should implement for effective cyber defense. 15 The SANS\n                 Institute recommends that federal agencies examine all 20 control areas\n                 against the current agency status and develop an agency-specific plan to\n                 implement the controls as a key component of an overall IT security\n                 program.\n\n15\n  \xe2\x80\x9c20 Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines,\xe2\x80\x9d SANS Institute,\nNovember 2009. Reference to the SANS Institute, a private organization, is made for informational\npurposes only and does not constitute an endorsement by CIGIE or any federal agency. Moreover, it does\nnot imply that its recommendations are necessarily the most appropriate or best available.\n\n                             Management Advisory Report on Cybersecurity\n\n                                                Page 23\n\x0c                  Incident Detection\n\n                  Incidents can occur from a myriad of complex sources and causes.\n                  Therefore, personnel monitoring an agency\xe2\x80\x99s IT infrastructure must have\n                  sufficient technical knowledge and experience to identify and analyze\n                  events and other incident-related data. Types of cybersecurity-related\n                  incidents include malicious code such as viruses, worms, and Trojan\n                  horses; denial-of-service attacks; unauthorized access; and inappropriate\n                  usage. 16 17\n\n                  Indications of an incident can occur at different sources and levels. Some\n                  examples of incident indications include port-scanning activities reported\n                  by the intrusion detection system/intrusion prevention system; multiple or\n                  persistent failed login attempts from an unfamiliar system; unusual\n                  activity at an external web server; unusual deviation in network traffic\n                  flows; antivirus software alerts; user complaints of slow access or\n                  response; filenames with unusual characters; configuration changes in\n                  audit log files; and unusual numbers of bounced e-mails with suspicious\n                  content.\n\n                  Information about zero-day exploits and known threats and vulnerabilities\n                  can also be a source for incident detection. 18 The possibility of incidents\n                  attributed to the \xe2\x80\x9cinsider threat\xe2\x80\x9d should also be considered. Unauthorized\n                  access by insiders should prompt stronger policies concerning background\n                  investigations for personnel and stronger security controls on internal\n                  networks.\n\n                  Incident Handling\n\n                  According to OMB Memorandum 07-16, dated May 22, 2007, entitled\n                  Safeguarding Against and Responding to the Breach of Personally\n                  Identifiable Information, \xe2\x80\x9cwhen faced with a security incident, an agency\n                  must be able to respond in a manner protecting both its own information\n                  and helping to protect the information of others who might be affected by\n                  the incident. To address this need, agencies must establish formal incident\n\n16\n   Viruses, Worms, and Trojan Horses are all malicious programs that are purposely written to cause\ndamage to a computer and/or information on the computer. They are also capable of slowing down the\nInternet, and they can use an individual\xe2\x80\x99s computer to spread themselves to friends, family, coworkers, or\nothers.\n17\n   A denial-of-service attack is an attempt to make a computer resource unavailable to its intended users.\nAlthough the means to carry out, motives for, and targets of a denial-of-service attack may vary, it\ngenerally consists of the concerted efforts of a person, or multiple people to prevent an Internet site or\nservice from functioning efficiently or at all, temporarily or indefinitely.\n18\n   A zero-day exploit is one that takes advantage of a security vulnerability on the same day the\nvulnerability becomes generally known. There are zero days between the time the vulnerability is\ndiscovered and the first attack.\n\n                              Management Advisory Report on Cybersecurity\n\n                                                  Page 24\n\x0c                   response mechanisms. To be fully effective, incident handling and\n                   response must also include sharing information concerning common\n                   vulnerabilities and threats with those operating other systems and in other\n                   agencies. In addition to training employees on how to prevent incidents,\n                   all employees must also be instructed in their roles and responsibilities\n                   regarding responding to incidents should they occur.\xe2\x80\x9d Possible metrics for\n                   incident-related data could include the number of incidents handled, time\n                   per incident, and assessments of each incident.\n\n                   Best Practices for Incident Response, Network Defense, and Remediation\n\n                   According to NIST SP 800-61, effective incident response has four\n                   phases: preparation; detection and analysis; containment, eradication, and\n                   recovery; and post-incident activity (see figure 5).\n\n\n\n\n                   Figure 5: The Incident Response Life Cycle. Source: NIST SP 800-61, p. 3-1.\n\n                   The initial phase involves establishing and training an incident response\n                   team, and acquiring the necessary tools and resources. During\n                   preparation, the organization also attempts to limit the number of incidents\n                   by selecting and implementing a set of controls based on the results of risk\n                   assessments. However, residual risk will inevitably persist after controls\n                   are implemented; furthermore, no control is foolproof. Detection of\n                   security breaches is thus necessary to alert the organization whenever\n                   incidents occur. In keeping with the severity of the incident, the\n                   organization can act to mitigate the impact of the incident by containing it\n                   and ultimately recovering from it. After the incident is handled, the\n                   organization issues a report that details the cause and cost of the incident\n                   and the steps the organization should take to prevent future incidents. 19\n\n                   Security Breach Notification\n\n                   OMB Memorandum 07-16 requires agencies to develop and implement a\n                   breach notification policy. The term \xe2\x80\x9cpersonally identifiable information\xe2\x80\x9d\n                   refers to information that can be used to distinguish or trace an\n                   individual\xe2\x80\x99s identity. It includes information such as name, Social\n                   Security number, and biometric records. This information can be used\n                   alone or combined with other personal or identifying information that may\n\n19\n     NIST SP 800-61, Computer Security Incident Handling Guide.\n\n                               Management Advisory Report on Cybersecurity\n\n                                                 Page 25\n\x0c                 be linked or linkable to a specific individual, such as date and place of\n                 birth and mother\xe2\x80\x99s maiden name. Agencies must report incidents\n                 involving personally identifiable information to the United States\n                 Computer Emergency Readiness Team.\n\n                 External Notification of a Security Breach\n\n                 Each agency should develop a breach notification policy and plan\n                 comprising the six elements discussed in OMB Memorandum 07-16 and\n                 listed below\xe2\x80\x94\n                     \xe2\x80\xa2    Whether breach notification is required\n                     \xe2\x80\xa2    Timeliness of the notification\n                     \xe2\x80\xa2    Source of the notification\n                     \xe2\x80\xa2    Contents of the notification\n                     \xe2\x80\xa2    Means of providing the notification\n                     \xe2\x80\xa2    Who receives notification (public outreach v. internal\n                          communications)\n\n                 When implementing the policy and plan, the agency head will make final\n                 decisions regarding breach notification. To ensure adequate coverage and\n                 implementation of the plan, each agency should establish an agency\n                 response team that includes the program manager of the program\n                 experiencing the breach; the CIO, Chief Privacy Officer or Senior Official\n                 for Privacy; Communications Office; Legislative Affairs Office; General\n                 Counsel; and the Management Office, which includes budget and\n                 procurement functions. 20\n\n                 Business Impact, Damage Assessment, and Lessons Learned\n\n                 After the incident is handled, the agency should prepare a business impact\n                 and damage assessment. This assessment describes the cause and cost of\n                 the incident and the required steps to prevent future incidents. Items to\n                 consider when calculating the cost include damage to the agency\xe2\x80\x99s\n                 reputation; lost revenue; lost service and ability to operate; cost to\n                 remediate or replace information; cost to repair or replace damaged\n                 hardware; and potential fines, lawsuits, and legal fees. Conducting a\n                 \xe2\x80\x9clessons learned\xe2\x80\x9d session with all involved personnel after an incident can\n                 help strengthen security measures while also improving the incident-\n                 handling process.\n\n\n20\n  \xe2\x80\x9cSafeguarding Against and Responding to the Breach of Personally Identifiable Information\xe2\x80\x9d\n(OMB Memorandum 07-16), May 22, 2007.\n\n                             Management Advisory Report on Cybersecurity\n\n                                                Page 26\n\x0cResults of CIGIE Cybersecurity Working Group Survey\n\nTo assess the IG community\xe2\x80\x99s incident detection and handling capability,\nwe conducted a survey to identify common practices for identifying,\ncontaining, and responding to cybersecurity events. Survey results\nidentified a number of areas where OIG security practices can be\nimproved to enhance incident detection and handling capabilities.\nSpecifically, survey results identified the following challenges\xe2\x80\x94\n   \xe2\x80\xa2   Thirty-one percent of respondents have not implemented incident\n       detection and handling policies and procedures consistent with\n       NIST SP 800-61, Computer Security Incident Handling Guide.\n   \xe2\x80\xa2   Fifty-four percent of respondents do not periodically test their\n       ability to identify, contain, and respond to cybersecurity events in\n       accordance with local policy and procedures. Ineffective testing of\n       incident detection and handling procedures could prevent OIGs\n       from identifying and responding to system intrusion attempts in a\n       timely manner.\n   \xe2\x80\xa2   Forty percent of respondents have not implemented the capability\n       to monitor their systems and networks for unauthorized access.\n       Additionally, respondents do not have security event correlation\n       capabilities to identify trends related to network intrusions or\n       intrusion attempts.\n   \xe2\x80\xa2   Twenty-seven percent of respondents do not periodically review\n       system audit logs to identify unauthorized access attempts. Such\n       reviews are critical for determining individual accountability,\n       reconstructing security events, and identifying system performance\n       issues.\n   \xe2\x80\xa2   Seventeen percent of respondents have not implemented\n       encryption controls to protect sensitive OIG data transmitted via\n       email or to protect OIG data \xe2\x80\x9cat rest\xe2\x80\x9d from unauthorized access or\n       disclosure.\n   \xe2\x80\xa2   Seventeen percent of respondents do not have an accurate\n       inventory of hardware, software, or applications supporting OIG\n       critical operations. A complete list of hardware and software\n       components is critical for protecting OIG systems in the event of a\n       cybersecurity incident.\n\n\n\n\n          Management Advisory Report on Cybersecurity\n\n                            Page 27\n\x0c                 Recommendations\n                 We recommend that OIGs consider implementing the following practices,\n                 when applicable:\n\n                 Recommendation #6: Review CIS or other appropriate benchmarks for\n                 the secure configuration of critical network devices, including computer\n                 servers, firewalls, routers, and switches.\n\n                 Recommendation #7: Monitor user account privileges for key OIG\n                 systems and limit privileged (e.g., administrator, superuser) system access\n                 to as few individuals as possible.\n\n                 Recommendation #8: Implement a continuous security control\n                 monitoring program for key IT security controls, such as operating system\n                 configurations, system vulnerabilities, and software patch levels.\n\n\n        Scalable Trustworthy Systems\n                 Due to differing IT models in operation, the IG community must be aware\n                 of the concepts of trust, scale, and composition when developing and\n                 implementing information systems. A clear understanding of these\n                 concepts is necessary so that organizations can maintain and improve the\n                 security posture of their IT environment when confronted with the\n                 adoption of emerging technologies, the demand for information sharing,\n                 and management of the technology refresh cycle. 21\n\n                 According to A Roadmap for Cybersecurity Research, released in 2009,\n                 trustworthiness is a multidimensional measure of the extent to which a\n                 system is likely to satisfy each of the following elements: system\n                 integrity, availability, survivability, data confidentiality, guaranteed real-\n                 time performance, accountability, attribution, and usability. Definitions of\n                 what trust means for each element and well-defined measures against\n                 which trustworthiness can be evaluated are fundamental to developing and\n                 operating trustworthy systems. 22\n\n                 As part of trustworthiness, IGs should identify Mission Critical (MC)\n                 applications and the infrastructure behind them. In the Continuity of\n                 Operations Plan (COOP) exercises that the DHS OIG participated in, all\n                 MC applications were identified but did not include all required\n                 underlying infrastructure to support those applications. IGs should\n\n21\n   The technology refresh cycle is the periodic replacement of IT and communications systems in response\nto changes in available technology.\n22\n   A Roadmap for Cybersecurity Research, Department of Homeland Security, November 2009.\n\n                              Management Advisory Report on Cybersecurity\n\n                                                 Page 28\n\x0c                  recognize that it is critical to ensure that the disaster recovery\n                  infrastructure provides the same level of trust and the same security\n                  posture established for the MC applications during normal operations.\n                  This can be accomplished through architectural principles for the design\n                  and implementation of trustworthy, scalable systems. This makes\n                  emergency preparedness an extra requirement for trusted systems that can\n                  be addressed during the design phase. Designing systems for emergency\n                  upfront avoids the need to retrofit security measures after the disaster\n                  infrastructure has been already deployed. This also guarantees senior\n                  leadership the same level of risk that they are accustomed to during\n                  normal operations, removing concerns outside of the emergency at hand.\n\n                  Scalability is the ability to satisfy given requirements as computer systems\n                  and networks expand in functionality, capacity, complexity, and scope of\n                  trustworthiness. Systems must be designed with scalability in mind\n                  because experience shows that scalability typically cannot be later\n                  retrofitted into a system. The primary concern of this area is scalability\n                  that preserves or enhances trustworthiness in real systems.\n\n                  Composability is the ability to create systems and applications with\n                  predictably satisfactory behavior from components, subsystems, and other\n                  systems. To enhance scalability in complex, distributed applications that\n                  must be trustworthy, high-assurance systems 23 should be developed from a\n                  set of components and subsystems, each of which is itself suitably\n                  trustworthy, within a system architecture that inherently supports\n                  composition. Composition includes the ability to run software on different\n                  hardware, aided by virtualization, operating systems emulation, and\n                  portable code. 24 In addition, composition extends beyond the technical\n                  aspects of system design, and therefore, system requirements and system\n                  evaluations should compose accordingly. It is vital that new systems can\n                  be incrementally added, or composed, into a system of systems with some\n                  predictable confidence that the trustworthiness of the resulting systems of\n                  systems is not weakened. 25\n\n                  While members of the IG community may not be developing large-scale\n                  systems themselves, they will rely on services provided by other\n                  organizations specializing in these systems and networks. Examples\n\n\n23\n   High-assurance systems offer strong guarantees that the system conforms to specified requirements for\nconfidentiality, integrity, availability, safety, reliability, maintainability, standards, documentation,\nprocedures, and regulations.\n24\n   Virtualization is the use of virtual machines to let multiple network subscribers maintain individualized\ndesktops on a single, centrally located computer or server. The central machine may be at a residence,\nbusiness, or data center. Users may be geographically scattered but are all connected to the central machine\nby a proprietary local area network or wide area network or the Internet.\n25\n   A Roadmap for Cybersecurity Research, Department of Homeland Security, November 2009.\n\n                              Management Advisory Report on Cybersecurity\n\n                                                  Page 29\n\x0c                  include mobile phone networks, cloud computing services, 26 agency\n                  intranets, and the Internet itself. While the IG community may not be\n                  responsible for the security of these systems, it is responsible for the\n                  security of the data it processes on the systems and must ensure that a\n                  sufficient level of trustworthiness is established.\n\n                  The current framework developed to manage the risks to government\n                  information imposed by the IT gaps in composability and scalability is\n                  FISMA, supplemented by the NIST SP 800 series. However, it remains\n                  challenging to ensure the trustworthiness of systems based on whole-\n                  system evaluations imposed by FISMA, due to the lack of top-to-bottom\n                  and end-to-end analysis as well as the great burden on system\n                  administrators.\n\n                  Approaches such as OMB\xe2\x80\x99s Trusted Internet Connection (TIC) and\n                  Federal Risk and Authorization Management Program (FedRAMP), from\n                  the CIO Council, attempt to alleviate the problem by providing high-\n                  assurance systems for Internet connectivity and cloud computing. 27\n\n                  The TIC initiative, headed by OMB and DHS, is a multifaceted plan for\n                  improving the federal government\xe2\x80\x99s security posture by reducing external\n                  connections, including those to the Internet. This consolidation will result\n                  in a common security solution that includes facilitating the reduction of\n                  external access points, establishing baseline security capabilities, and\n                  validating agency adherence to those security capabilities. Agencies\n                  participate in the TIC initiative either as TIC Access Providers (a limited\n                  number of agencies that operate their own capabilities) or by contracting\n                  with commercial managed trusted Internet protocol service providers\n                  through the GSA-managed Networx contract vehicle. 28 This effort\n                  addresses agencies\xe2\x80\x99 needs for connectivity by offering a trusted scalable\n                  architecture that enhances each individual agency\xe2\x80\x99s security posture. 29\n\n                  According to the survey respondents, there are variations in how OIGs\n                  connect to the Internet. Currently, most OIGs connect to the internet\n                  through their parent agency (see figure 6).\n\n\n26\n   Cloud computing services cover a wide range of scalable, on-demand infrastructure, service, and\nsoftware solutions; it provides computation, software, data access, and storage services that do not require\nend-user knowledge of the physical location and configuration of the system that delivers the services.\n27\n   The Trusted Internet Connection initiative is meant to optimize individual external connections,\nincluding internet points currently in use by the Federal government of the United States.\n28\n   The GSA website says that the Networx program offers comprehensive, best value telecommunications\nproviding for new technologies, industry partners, and ways to achieve a more efficient and effective\ngovernment. Networx allows agencies to focus their resources on building seamless, secure operating\nenvironments while ensuring access to the best technology industry has to offer.\n29\n   A scalable architecture is the ability of a system, network, or process, to handle growing amounts of\nwork in a graceful manner or its ability to be enlarged to accommodate that growth.\n\n                               Management Advisory Report on Cybersecurity\n\n                                                   Page 30\n\x0c                                      How OIGs Connect to the Internet\n\n\n\n\n                                 OIG deployed Trusted Internet Connection\n                                 OIG deployed internet connection, no TIC architecture\n                                 Parent agency deployed Trusted Internet Connection\n                                 Parent agency deployed internet connection, no TIC architecture\n                                 Parent agency provides all internet access\n                                 Other\n\n\n                  Figure 6: Results from the Cybersecurity Working Group survey.\n\n                  Beginning with the fiscal year 2012 budget, OMB requires agencies to\n                  consolidate their data centers and target cloud computing platforms as the\n                  primary operating model for new IT services. 30 With reduced IT budgets\n                  on agencies\xe2\x80\x99 immediate and long-term horizon, they must move to a new\n                  business model for delivering IT services. The IG community should\n                  focus on cloud computing as a primary option for new IT systems and\n                  services.\n\n                  FedRAMP was established to provide a standard approach to assessing\n                  and authorizing cloud computing services and products. It allows joint\n                  authorizations and continuous security monitoring services for both\n                  government and commercial cloud computing systems intended for\n                  multiagency use. Joint authorization of cloud providers results in a\n                  common security risk model that can be leveraged across the federal\n                  government. This model provides a consistent baseline for cloud-based\n                  technologies, which ensures that their benefits are effectively integrated\n\n30\n  Cloud computing services cover a wide range of scalable, on-demand infrastructure, service, and\nsoftware solutions; it provides computation, software, data access, and storage services that do not require\nend-user knowledge of the physical location and configuration of the system that delivers the services.\n\n                               Management Advisory Report on Cybersecurity\n\n                                                   Page 31\n\x0c                  across the various cloud computing solutions currently proposed within\n                  the government. The risk model will also enable the government to\n                  quickly leverage cloud computer services following the \xe2\x80\x9capprove once and\n                  use often\xe2\x80\x9d method of ensuring that multiple agencies gain the benefit and\n                  insight of the FedRAMP\xe2\x80\x99s Authorization and Accreditation to the service\n                  provider\xe2\x80\x99s authorization packages. 31\n\n                  NIST SP 800-145 (Draft) defines cloud computing as a model for enabling\n                  convenient, on-demand network access to a shared pool of configurable\n                  computing resources, such as networks, servers, storage, applications, and\n                  services, which can be rapidly provisioned and released with minimal\n                  management or service-provider interaction.\n\n                  Cloud computing systems are potentially beneficial for IG community\n                  members as they are scalable by design, offering the ability to distribute\n                  infrastructure resources rapidly and inexpensively. Cloud computing\n                  offers incremental scalability via \xe2\x80\x9con-demand\xe2\x80\x9d allocation of computing\n                  and network resources that avoids typical system over-engineering and\n                  system performance that far exceeds its needs.\n\n                  In addition, cloud computing may be beneficial in other aspects. For\n                  example, it would enable the government to contract out many IT\n                  computing services. Economies of scale could lower costs as having\n                  fewer but better trained people maintaining a few cloud systems should be\n                  significantly more efficient than maintaining many small, federal\n                  networks. Furthermore, having fewer systems, run by experts, using better\n                  hardware and software, may be significantly more secure.\n\n                  Finally, cloud computing permits device independence through the use of\n                  virtualization technologies for servers, clients, and applications. Desktop\n                  services can be accessed from anywhere through web browsers and virtual\n                  remote desktop clients regardless of the client device type (e.g., laptops,\n                  smartphones, tablets). Consequently, cloud computing is capable of\n                  unifying multiple infrastructures under a common platform. Cloud\n                  computing services can be engineered for high reliability through the use\n                  of multiple, redundant zones, making the platform suitable for business\n                  continuity and disaster recovery. Cloud computing systems can be\n                  designed for high assurance without sacrificing their scalability and low\n                  cost.\n\n                  Smaller OIGs may benefit most from cloud technologies that provide\n                  secure services that they cannot currently support internally. As reflected\n                  in figures 7 and 8, survey respondents stated that audit management\n                  software packages were fairly standardized within the IG community,\n\n31\n     http://www.cio.gov/pages.cfm/page/Federal-Risk-and-Authorization-Management-Program-FedRAMP\n\n                              Management Advisory Report on Cybersecurity\n\n                                                Page 32\n\x0cwhile a wide variety of software was used for case management.\nHowever, both audit management software and case management software\ncould be used as a pilot for a multiagency-use cloud computing system.\n\n\n                       Audit Management Software\n\n\n          Other (2%)                     None\n                                        (32%)\n\n\n                                                AutoAudit\n                                                 (15%)\n\n                                  TeamMate\n                                    (51%)\n\n\n\n\nFigure 7: Results from the Cybersecurity Working Group survey.\n\n                                                  Number of      Percentage of\n  Case Management Software                       Respondents     Respondents\n  In-house Developed Application                          11           26.82%\n  None                                                    12           29.26%\n  AutoInvestigation                                        1            2.44%\n  Case Management System                                   1            2.44%\n  Case Management Tracking System                          1            2.44%\n  CaseMap                                                  1            2.44%\n  CMTS                                                     1            2.44%\n  Concordance                                              1            2.44%\n  Law Enforcement Records System                           1            2.44%\n  EDS                                                      1            2.44%\n  Entellitrack                                             3            7.32%\n  I2MS                                                     1            2.44%\n  IGCIRTS                                                  1            2.44%\n  IG-Ideas                                                 1            2.44%\n  Magnum                                                   2            4.88%\n  Outsourced                                               1            2.44%\n  ProLaw                                                   1            2.44%\n  Grand Total                                             41          100.0%\n\nFigure 8: Results from the Cybersecurity Working Group survey.\n\n           Management Advisory Report on Cybersecurity\n\n                              Page 33\n\x0cRecommendations\nWe recommend that OIGs consider implementing the following practices,\nwhen applicable:\n\nRecommendation #9: Carefully plan IT systems before deployment.\nNew systems should enhance and maintain the security posture of the\nexisting infrastructure and be capable of scaling according to projections.\nRequirements should include desired capabilities as well as nonfunctional\nrequirements for system integrity, availability, survivability, data\nconfidentiality, accountability, attribution, usability, and other critical\nneeds.\n\nRecommendation #10: Embrace the TIC architecture to enhance the\nsecurity of network communications by ensuring that inbound and\noutbound data are properly monitored and secured.\n\nRecommendation #11: Consider applications that could benefit from the\nFedRAMP cloud computing model. Finding common ground will\nimprove efficiency of the OIG IT infrastructure and reduce its IT footprint\nand costs.\n\n\n\n\n          Management Advisory Report on Cybersecurity\n\n                            Page 34\n\x0cAppendix A\nReference List of Relevant Guidance, Laws, and Regulations\n\nPresidential Directives and Executive Orders\n\nHomeland Security Presidential Directive-12 (HSPD-12): Policy for a Common\nIdentification Standard for Federal Employees and Contractors\n\nSigned in 2004, HSPD-12 recognized that various forms of identification can be used to\naccess secure facilities, which creates a potential risk for terrorist attack. HPSD-12\ndirected the government to eliminate those variations by creating a mandatory\ngovernment standard for secure and reliable forms of identification issued by the\ngovernment to employees and contractors. The policy is intended to enhance security,\nincrease efficiency, reduce identify fraud, and protect personal privacy. It defined\n\xe2\x80\x9csecure and reliable forms of identification\xe2\x80\x9d as being issued based on sound criteria for\nverifying an individual\xe2\x80\x99s identity; strongly resistant to fraud and exploitation; rapidly\nauthenticated electronically; and issued only by providers whose reliability was\nestablished with a specific process. NIST has published a variety of standards associated\nwith HSPD-12 compliance.\n\nThe Comprehensive National Cybersecurity Initiative (CNCI) and The Cyberspace\nPolicy Review (CPR)\n   \xe2\x80\xa2 CNCI \xe2\x80\x94 In January 2008, President George W. Bush initiated the CNCI in\n       National Security Presidential Directive 54/HSPD 23 to help secure the Nation in\n       cyberspace. Major goals include establishing a front line of defense against\n       immediate threats, defending against the full spectrum of threats, and\n       strengthening the future cybersecurity environment. An unclassified summary\n       describes the 12 initiatives established to achieve those goals. Those initiatives\n       include managing the federal enterprise network as a single network enterprise\n       with trusted Internet connections; deploying an intrusion detection system of\n       sensors; connecting current cyber ops centers to enhance situational awareness;\n       defining and developing enduring \xe2\x80\x9cleap-ahead\xe2\x80\x9d technology, strategies, and\n       programs; defining and developing enduring deterrence strategies and programs;\n       and defining the federal role for extending cybersecurity into critical\n       infrastructure. http://www.whitehouse.gov/cybersecurity/comprehensive-\n       national-cybersecurity-initiative\n\n   \xe2\x80\xa2   CPR \xe2\x80\x94 In 2009, President Obama adopted recommendations set forth in the\n       CPR. The CPR \xe2\x80\x9coutlines the beginning of the way forward towards a reliable,\n       resilient, trustworthy digital infrastructure for the future.\xe2\x80\x9d A few of the broad\n       policies include leading from the top (e.g., appointing an executive branch\n       Cybersecurity Coordinator); sharing responsibility for cybersecurity (e.g., federal\n       government working closely with state and local governments and the private\n       sector); creating effective information sharing and incident response; and\n       encouraging innovation (e.g., establishing identity management mechanisms).\n       The White House explains that the CNCI initiatives will evolve and support the\n       achievement of many CPR recommendations.\n       http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.p\n       df\n\n                         Management Advisory Report on Cybersecurity\n\n                                           Page 35\n\x0cAppendix A\nReference List of Relevant Guidance, Laws, and Regulations\n\nSelected Office of Management and Budget Circulars and Memorandums\n\n\xe2\x80\xa2    OMB Circular A-11, Preparation, Submission, and Execution of the Budget. Part 2,\n     Section 31.9, Management improvement initiatives and policies. Budget estimates\n     should reflect efforts involving IT investments, E-government projects and strategy,\n     commitment to privacy and reduction of improper payments, requirements of the E-\n     Government Act, and a comprehensive understanding of OMB policies and NIST\n     guidance.\n     http://www.whitehouse.gov/sites/default/files/omb/assets/a11_current_year/s31.pdf\n\n\xe2\x80\xa2    OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control. This\n     circular provides guidance to federal managers on improving the accountability and\n     effectiveness of federal programs and operations by establishing, assessing,\n     correcting, and reporting on internal controls. In particular, Appendix III establishes\n     that a minimum set of controls be included in information security programs.\n     Moreover, each agency\xe2\x80\x99s program must implement policies and standards consistent\n     with OMB, Department of Commerce, GSA, and Office of Personnel Management\n     issuances. Agency heads are required to report annually on the effectiveness of the\n     agency\xe2\x80\x99s security programs. http://www.whitehouse.gov/omb/circulars_a123_rev\n\n\xe2\x80\xa2    OMB Circular A-130 Revised, Management of Federal Information Resources.\n     The U.S. Federal CIO Council\xe2\x80\x99s Architecture Alignment and Assessment Guide\n     (2000) described OMB Circular A-130 as a \xe2\x80\x9cone-stop shopping document for OMB\n     policy and guidance on information technology management.\xe2\x80\x9d It establishes policies\n     for the management of federal information resources government-wide, including the\n     minimum controls to be included in federal automated information security programs\n     and the assignment of federal agency responsibilities for the security of automated\n     information. The circular also links agency automated information security programs\n     and agency management control systems.\n     http://www.whitehouse.gov/omb/circulars_a130_a130trans4/\n\n\xe2\x80\xa2    OMB Memorandum 11-11, Continued Implementation of HSPD-12. 32 This\n     memorandum outlines a plan of action for agencies that will expedite the executive\n     branch\xe2\x80\x99s full use of the credentials for access to federal facilities and information\n     systems. http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-\n     11.pdf (See also OMB M-05-24.)\n\n\xe2\x80\xa2    OMB Memorandum 11-02, Sharing Data While Protecting Privacy. This\n     memorandum directs agencies to find solutions that allow data sharing to move\n     forward in a manner that complies with applicable privacy laws, regulations, and\n     policies. http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-\n     02.pdf\n\n32\n  HSPD-12 applies to federal employees and contractors and requires (1) completion of background\ninvestigations, (2) issuance of standardized identity credentials, (3) use of the credentials for access to\nfederal facilities, and (4) use of the credentials for access to federal information systems.\n\n                                Management Advisory Report on Cybersecurity\n\n                                                    Page 36\n\x0cAppendix A\nReference List of Relevant Guidance, Laws, and Regulations\n\n\xe2\x80\xa2   OMB Memorandum 10-27, Information Technology Investment Baseline\n    Management Policy. This memorandum provides policy direction regarding\n    development of agency IT investment (both major and nonmajor investments)\n    baseline management policies, and defines a common structure for IT investment\n    baseline management policy with a goal of improving transparency, performance\n    management, and effective investment oversight.\n    http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-\n    27.pdf\n\n\xe2\x80\xa2   OMB Memorandum 10-15, FY 2010 Reporting Instructions for the Federal\n    Information Security Management Act and Agency Privacy Management. This\n    memorandum requires agencies to upload monthly inventory data feeds to\n    CyberScope starting January 1, 2011. CyberScope is a web application developed by\n    DHS in conjunction with the Department of Justice to handle manual and automated\n    inputs of agency data for FISMA reporting.\n    http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-\n    15.pdf\n\n\xe2\x80\xa2   OMB Memorandum 08-22, Guidance on the Federal Desktop Core Configuration\n    (FDCC). This guidance updates matters in OMB Memorandum 07-11,\n    Implementation of Commonly Accepted Security Configurations for Windows\n    Operating Systems, and discusses (1) Federal Desktop Core Configuration Major\n    Version 1.0; (2) the SCAP validation requirement; (3) compliance, testing, and use of\n    SCAP-validated tools for application providers supporting the federal government;\n    (4) scope of \xe2\x80\x9cdesktop\xe2\x80\x9d configuration; (5) revisions to part 39 of the Federal\n    Acquisition Regulation; (6) the creation of the FDCC change control board; (7)\n    updating FISMA guidance for FDCC; and (8) the policy utilization effort.\n    http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-22.pdf\n\n\xe2\x80\xa2   OMB Memorandum 08-05 and OMB Memorandum 08-27\n    o Memorandum 08-05, Implementation of Trusted Internet Connections. This\n      memorandum announced the TIC initiative to optimize individual network\n      services into a common solution for the federal government. The common\n      solution facilitates the reduction of external connections, including Internet points\n      of presence, to a target of 50. It required agencies to develop a comprehensive\n      plan of action and milestones with a target completion date of June 2008.\n      http://georgewbush-whitehouse.archives.gov/omb/memoranda/fy2008/m08-\n      05.pdf\n\n    o Memorandum 08-27, Guidance for Trusted Internet Connection Compliance.\n      This memorandum instructs agencies identified as TIC Access Providers to ensure\n      compliance with the TIC initiative, by (1) complying with critical TIC technical\n      capabilities per the agencies\xe2\x80\x99 Statement of Capability; (2) continuing reduction\n      and consolidation of external connections to identified TIC access points; (3)\n      collaborating with the National Cyber Security Division; (4) executing a\n                          Management Advisory Report on Cybersecurity\n\n                                            Page 37\n\x0cAppendix A\nReference List of Relevant Guidance, Laws, and Regulations\n\n       memorandum of agreement between DHS and the agency\xe2\x80\x99s CIO; and (5)\n       executing a service-level agreement between DHS and the agency\xe2\x80\x99s CIO.\n       http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy200\n       8/m08-27.pdf\n\n\xe2\x80\xa2   OMB Memorandum 07-18, Ensuring New Acquisitions Include Common Security\n    Configurations. This memorandum provides recommended language for agencies to\n    use in solicitations to ensure that new acquisitions with Windows XP and Vista\n    operating systems include configuration settings for FDCC settings discussed in\n    M 07-11.\n    http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m\n    07-18.pdf\n\n\xe2\x80\xa2   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information. This memorandum requires agencies to develop\n    and implement a notification policy for internal and external breaches of personally\n    identifiable information. It also requires agencies to develop policies concerning the\n    responsibilities of individuals authorized to access personally identifiable\n    information.\n    http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf\n\n\xe2\x80\xa2   OMB Memorandum 06-16, Protection of Sensitive Agency Information. In addition\n    to NIST\xe2\x80\x99s checklist for protection of remote information, this memorandum\n    recommends that all departments and agencies take actions including (1) encrypting\n    all data on mobile computers/devices that carry agency data unless the data are\n    determined to be nonsensitive; (2) allowing remote access only with two-factor\n    authentication where one of the factors is provided by a device separate from the\n    computer gaining access; (3) using a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access and\n    mobile devices, requiring user reauthentication after 30 minutes of inactivity; and\n    (4) logging all computer-readable data extracts from databases holding sensitive\n    information and verifying that each extract including sensitive data has been erased\n    within 90 days or that its use is still required.\n    http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2006/m06-16.pdf\n\n\xe2\x80\xa2   OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies. This\n    memorandum requires agencies to review new and existing electronic transactions to\n    ensure that authentication processes provide the appropriate level of assurance. It\n    establishes and describes four levels of identity assurance for electronic transactions\n    requiring authentication. Assurance levels also provide a basis for assessing\n    credential service providers on behalf of federal agencies. The memorandum also\n    assists agencies in determining their E-government authentication needs for users\n    outside the executive branch. Further, it explains that agency business process\n    owners bear the primary responsibility to identify assurance levels and strategies for\n    providing them. The responsibilities set forth also extend to electronic authentication\n\n\n                          Management Advisory Report on Cybersecurity\n\n                                            Page 38\n\x0cAppendix A\nReference List of Relevant Guidance, Laws, and Regulations\n\n     systems. http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-\n     04.pdf\n\n\xe2\x80\xa2    OMB Memorandum 03-22, OMB Guidance for Implementing the Privacy\n     Provisions of the E-Government Act of 2002. This memorandum directs agencies to\n     conduct reviews of how information about individuals is handled within their agency\n     when they use IT to collect new information, or when they develop or buy new IT\n     systems to handle collections of personally identifiable information.\n     http://www.whitehouse.gov/omb/memoranda_m03-22\n\n\xe2\x80\xa2    OMB Memorandum 00-10, OMB Procedures and Guidance on Implementing the\n     Government Paperwork Elimination Act (GPEA). This memorandum provides\n     executive agencies with the guidance required under sections 1703 and 1705 of the\n     GPEA. http://www.whitehouse.gov/omb/memoranda_m00-10/\n\nSelected Federal Policies and Key Initiatives Affecting ICAM Implementation\n\nThe authorities and guidelines listed below, 33 as well as others discussed elsewhere in\nthis report, reflect a small sample of relevant authorities related to ICAM implementation.\n\n\xe2\x80\xa2    Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a). The Privacy Act, in general, governs the\n     collection, maintenance, use, and dissemination of personal information maintained\n     by the federal government. In particular, the act covers systems of records that an\n     agency maintains and retrieves by an individual\xe2\x80\x99s name or other personal identifier\n     (e.g., Social Security number).\n\n\xe2\x80\xa2    Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191)\n     (HIPAA). HIPAA protects the privacy of individually identifiable health\n     information. The act also provides federal protections for personal health information\n     held by covered entities and gives patients an array of rights with respect to that\n     information.\n\n\xe2\x80\xa2    Government Paperwork Elimination Act of 1998 (P.L. 105-277). GPEA requires\n     federal agencies to allow individuals or entities that deal with the agencies the option\n     to submit information or transact with the agency electronically, when practicable,\n     and to maintain records electronically, when practicable. The act specifically states\n     that electronic records and their related electronic signatures are not to be denied legal\n     effect, validity, or enforceability merely because they are in electronic form and\n     encourages federal government use of a range of electronic signature alternatives.\n\n\n\n33\n  List extracted from the Federal Chief Information Officers Council and the Federal Enterprise\nArchitecture, Federal Identity, Credential, and Access Management (FICAM) Roadmap and\nImplementation Guidance, Version 1.0, section 2.3.3. (November 10, 2009).\nhttp://www.idmanagement.gov/documents/FICAM_Roadmap_Implementation_Guidance.pdf\n\n                              Management Advisory Report on Cybersecurity\n\n                                                 Page 39\n\x0cAppendix A\nReference List of Relevant Guidance, Laws, and Regulations\n\n\xe2\x80\xa2   Electronic Signatures in Global and National Commerce Act of 2000 (P.L. 106-\n    229). This act was intended to facilitate the use of electronic records and signatures\n    in interstate and foreign commerce by ensuring the validity and legal effect of\n    contracts entered into electronically.\n\n\xe2\x80\xa2   Executive Order 12977 - Interagency Security Committee. This order established\n    the Interagency Security Committee to develop standards, policies, and best practices\n    for enhancing the quality and effectiveness of physical security in, and the protection\n    of, nonmilitary federal facilities in the United States.\n\n\xe2\x80\xa2   Executive Order 13467 - Reforming Processes Related to Suitability for\n    Government Employment, Fitness for Contractor Employees, and Eligibility for\n    Access to Classified National Security Information. This order was established to\n    ensure an efficient, practical, reciprocal, and aligned system for investigating and\n    determining suitability for government employment, contractor employee fitness, and\n    eligibility for access to classified information.\n\nSelected National Institutes of Standards and Technology Publications\n\n\xe2\x80\xa2   NIST SP 800-128, Guide for Security-Focused Configuration Management of\n    Information Systems. The publication includes guidelines for implementing CM\n    security controls defined in NIST SP 800-53 and security controls related to\n    managing the configuration of the system architecture and associated components for\n    secure processing, storing, and transmitting of information. See the discussion on\n    page 20 of this report for its applicability to configuration management practices.\n    http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf\n\n\xe2\x80\xa2   NIST SP 800-73-3, Interfaces for Personal Identity Verification. The guidance\n    contains technical specifications to interface with PIV cards to retrieve and use\n    identity credentials. The detailed publication comes in four parts: (1) End-Point PIV\n    Card Application Namespace, Data Model and Representation; (2) PIV Card\n    Application Card Command Interface; (3) PIV Client Application Programming\n    Interface; and (4) The PIV Transitional Interfaces & Data Model Specification.\n    http://csrc.nist.gov/publications/PubsByLR.html\n\n\xe2\x80\xa2   NIST SP 800-61, Revision 1, Computer Security Incident Handling Guide. This\n    publication helps organizations mitigate the risks from computer security incidents\n    and focuses on detecting, analyzing, prioritizing, and handling computer security\n    incidents. http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf\n\n\xe2\x80\xa2   NIST SP 800-53, Revision 3, Recommended Security Controls for Federal\n    Information Systems and Organizations. SP 800-53 includes a family of CM security\n    controls. CM-8, Information System Component Inventory, requires organizations to\n    develop, document, and maintain a current inventory of the components of an\n\n\n                          Management Advisory Report on Cybersecurity\n\n                                            Page 40\n\x0cAppendix A\nReference List of Relevant Guidance, Laws, and Regulations\n\n    information system. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-\n    53-rev3-final_updated-errata_05-01-2010.pdf\n\n\xe2\x80\xa2   FIPS PUB 201-1, Personal Identity Verification (PIV) of Federal Employees and\n    Contractors. NIST published this Processing Standard to specify the architecture and\n    technical requirement for a common identification standard for federal employees and\n    contractors. http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.\n    See also NIST SP 800-73.\n\n\n\n\n                         Management Advisory Report on Cybersecurity\n\n                                           Page 41\n\x0cAppendix B\nSummary of Survey Results\n\nThe CIGIE Cybersecurity Working Group surveyed the IG community to solicit input\nabout the current state of maintaining the integrity of OIG IT systems and carrying out its\nIT oversight responsibilities in the IG community. The working group invited 79\nmembers of CIGIE to respond to the survey, which collected (1) demographics regarding\npersonnel and budget and (2) information regarding various areas of IT. The results from\nthe 41 survey respondents are summarized below.\n\nGeneral Demographics\n1. How many total staff are employed by the OIG?\n\n                                     Number of Respondents         Percentage of Respondents\n                                         to Question                      to Question\n    1-10 people full-time                   7                               17.1%\n    11-50 people full-time                  6                               14.6%\n    51-99 people full-time                  4                                9.8%\n    100-249 people full-time                6                               14.6%\n    250-500 people full time                9                               22.0%\n    More than 500 people                    6                               14.6%\n    No Data Given                           3                                7.3%\n    Grand Total                            41                             100.0%\n\n2. What is the annual OIG budget (including salary and benefits)?\n\n                                     Number of Respondents         Percentage of Respondents\n                                         to Question                      to Question\n    $250,001 to $500,000                    1                               2.4%\n    $500,001 to $999,999                    2                               4.9%\n    $1 million to $4,999,999                7                              17.1%\n    $5 million to $9,999,999                9                              22.0%\n    $10 million to $24,999,999              2                               4.9%\n    $25 million to $49,999,999              6                              14.6%\n    $50 million to $99,999,999              5                              12.2%\n    Over $100 million                       4                               9.7%\n    No Data Given                           5                              12.2%\n    Grand Total                            41                             100.0%\n\n\n\n\n                          Management Advisory Report on Cybersecurity\n\n                                            Page 42\n\x0cAppendix B\nSummary of Survey Results\n\n3. What is the annual OIG IT budget (including salary and benefits)?\n\n                                    Number of Respondents         Percentage of Respondents\n                                        to Question                      to Question\n    Less than $100,000                      10                              24.4%\n    $100,000 to $250,000                     1                               2.4%\n    $250,001 to $499,999                     4                               9.8%\n    $500,000 to $999,999                     3                               7.3%\n    $1 million to $2,999,999                 6                              14.6%\n    $3 million to $9,999,999                10                              24.4%\n    $10 million to $24,999,999               2                               4.9%\n    No Data Given                            5                              12.2%\n    Grand Total                             41                             100.0%\n\n4. Is the OIG IT budget allocated to sub-budgets?\n\n                                    Number of Respondents         Percentage of Respondents\n                                        to Question                      to Question\n    Yes                                       7                             17.1%\n    No                                      30                              73.2%\n    No Data Given                             4                              9.7%\n    Grand Total                             41                             100.0%\n\n5. Does your OIG\n\n                                    Number of Respondents         Percentage of Respondents\n                                        to Question                      to Question\n    Have a fully staffed IT group\n    which manages the day-to-\n    day operations and is\n    responsible for maintaining\n    and supporting the OIG\n    infrastructure?                             12                          29.3%\n    Rely on your parent agency to\n    provide user and\n    infrastructure support?                     11                          26.8%\n    Have a hybrid arrangement\n    where the OIG and the parent\n    agency share user and\n    infrastructure support?                     13                          31.7%\n    Use a third-party to provide\n    user and infrastructure\n    support?                                     1                           2.4%\n    No Data Given                                4                           9.8%\n    Grand Total                                 41                         100.0%\n\n\n\n                         Management Advisory Report on Cybersecurity\n\n                                           Page 43\n\x0cAppendix B\nSummary of Survey Results\n\n6. If the OIG has its own IT group, how many full-time equivalents, excluding\n   contractors, are, in any way, responsible for supporting or maintaining IT in the OIG?\n   Please consider part-time staff in full-time equivalents.\n\n                                     Number of Respondents         Percentage of Respondents\n                                         to Question                      to Question\n    None                                          5                          12.2%\n    One person less than full-time                2                           4.9%\n    2 people                                      4                           9.8%\n    3-5 people                                    4                           9.8%\n    6-10 people                                   6                          14.6%\n    11-20 people                                  6                          14.6%\n    21-40 people                                  3                           7.3%\n    41-80 people                                  1                           2.4%\n    No Data Given                                10                          24.4%\n    Grand Total                                  41                         100.0%\n\n7. If the OIG has its own IT group, how many contractors does the OIG use to support\n   or maintain the OIG\xe2\x80\x99s IT? Please consider part-time contractors in full-time\n   equivalents.\n\n                                     Number of Respondents         Percentage of Respondents\n                                         to Question                      to Question\n    None                                      14                               34.2%\n    One contractor                             6                               14.6%\n    2 to 5                                     7                               17.1%\n    6 to 10                                    3                                7.3%\n    More than 20 contractors                   1                                2.4%\n    No Data Given                             10                               24.4%\n    Grand Total                                  41                          100.0%\n\n\n\n\n                          Management Advisory Report on Cybersecurity\n\n                                            Page 44\n\x0cAppendix B\nSummary of Survey Results\n\nScalable Trustworthy Systems\n\nNote: For the next two questions, the number of responses is greater than the 41\n      respondents because respondents could pick more than one choice.\n\n1.   What technology does the OIG use to support telework policy?\n\n                                      Number of Respondents         Percentage of Respondents\n                                          to Question                      to Question\n      Laptop                                    34                              25.2%\n      Virtual Desktop (CITRIX or\n      Remote Desktop)                              17                          12.6%\n      Web based services                           18                          13.3%\n      Removable storage\n      (e.g., thumb drives)                         23                          17.0%\n      Physical Tokens                              21                          15.6%\n      Virtual Tokens                                5                           3.7%\n      Smart Cards                                   6                           4.4%\n      Encrypted Storage on Device                   1                           0.7%\n      Mobile Device                                 2                           1.5%\n      Remote Access Server                          1                           0.7%\n      Virtual Private Network                       3                           2.2%\n      No Data Given                                 4                           3.1%\n      Grand Total                                 135                         100.0%\n\n2.   What architecture and provider is used for Internet connectivity?\n\n                                      Number of Respondents         Percentage of Respondents\n                                          to Question                      to Question\n      OIG-deployed TIC                           1                                2.1%\n      OIG-deployed Internet\n      connection, no TIC\n      architecture                                     2                        4.3%\n      Parent agency-deployed\n      Trusted Internet Connection                  16                          34.1%\n      Parent agency-deployed\n      Internet connection, no TIC\n      architecture                                     5                       10.6%\n      Parent agency provides all\n      Internet access                              19                          40.4%\n      No Data Given                                 4                           8.5%\n      Grand Total                                  47                         100.0%\n\n\n\n\n                           Management Advisory Report on Cybersecurity\n\n                                             Page 45\n\x0cAppendix B\nSummary of Survey Results\n\n\nIdentity, Credential, and Access Management\n1.   Has the OIG implemented a Federal ICAM Program Office or budget line item to\n     support federal ICAM?\n\n                                       Number of Respondents       Percentage of Respondents\n                                           to Question                    to Question\n      Yes                                        10                            24.4%\n      No                                         27                            65.85%\n      No Data Given                               4                              9.75%\n      Grand Total                                 41                          100.0%\n\n2.   Has the OIG supplemented OMB Memorandum 05-24, FIPS 201, and NIST guidance\n     with its own policies, directives, or governance procedures to support federal ICAM?\n\n                                       Number of Respondents        Percentage of Respondents\n                                           to Question                     to Question\n      Yes                                         6                             14.6%\n      No                                         30                             73.2%\n      No Data Given                               5                             12.2%\n      Grand Total                                 41                          100.0%\n\n3.   Does the OIG use PIV credentials for network/domain authentication?\n\n                    Number of Respondents Percentage of Respondents\n                        to Question              to Question\n      Yes                      10                     24.4%\n      No                       27                     65.8%\n      No Data Given             4                       9.8%\n      Grand Total                 41                          100.0%\n\n4.   Has the OIG met all of the details in OMB directives for implementing HSPD-12 and\n     federal ICAM?\n\n                                       Number of Respondents        Percentage of Respondents\n                                           to Question                     to Question\n      Yes                                         10                           24.4%\n      No                                          23                           56.1%\n      No Data Given                                8                           19.5%\n      Grand Total                                 41                          100.0%\n\n\n\n                          Management Advisory Report on Cybersecurity\n\n                                            Page 46\n\x0cAppendix B\nSummary of Survey Results\n\nIncident Detection and Handling\n1. Does the OIG have policies and procedures supporting an Incident Detection and\n   Handling program for OIG systems?\n\n                                    Number of Respondents          Percentage of Respondents\n                                        to Question                       to Question\n    Yes                                          26                           63.4%\n    No                                           11                           26.8%\n    No Data Given                                 4                            9.8%\n    Grand Total                                  41                          100.0%\n\n   a.    If \xe2\x80\x9cYes,\xe2\x80\x9d are the policies and procedures consistent with NIST SP 800-61\n         Computer Security Incident Handling Guide and/or service-level agreements\n         with the OIG\xe2\x80\x99s parent agency?\n\n                                    Number of Respondents          Percentage of Respondents\n                                        to Question                       to Question\n          Yes                                    25                           61.0%\n          No Data Given                           1                            2.4%\n          Answer to previous\n          question was \xe2\x80\x9cNo\xe2\x80\x9d or\n          not data given                         15                           36.6%\n          Grand Total                            41                          100.0%\n\n2. Does the OIG periodically test its Incident Handling and Detection procedures to\n   ensure they meet OIG security objectives?\n\n                                    Number of Respondents          Percentage of Respondents\n                                        to Question                       to Question\n    Yes                                          16                           39.0%\n    No                                           20                           48.8%\n    No Data Given                                 5                           12.2%\n    Grand Total                                  41                          100.0%\n\n\n\n\n                         Management Advisory Report on Cybersecurity\n\n                                           Page 47\n\x0cAppendix B\nSummary of Survey Results\n\n3. Who performs Incident Detection services for OIG systems?\n\n                                   Number of Respondents          Percentage of Respondents\n                                       to Question                       to Question\n    Parent Agency                               17                           41.5%\n    OIG                                          6                           14.6%\n    Parent Agency/OIG                           14                           34.1%\n    No Data Given                                4                            9.8%\n    Grand Total                                 41                          100.0%\n\n4. Who performs Incident Handling services for OIG systems?\n\n                                   Number of Respondents          Percentage of Respondents\n                                       to Question                       to Question\n    Parent Agency                               12                           29.3%\n    OIG                                          5                           12.2%\n    Parent Agency/OIG                           20                           48.8%\n    No Data Given                                4                            9.7%\n    Grand Total                                 41                         100.0%\n\n5. Does the parent organization keep the OIG informed of security incidents?\n\n                                   Number of Respondents          Percentage of Respondents\n                                       to Question                       to Question\n    Yes                                         36                           87.8%\n    No                                           1                            2.4%\n    No Data Given                                4                            9.8%\n    Grand Total                                 41                          100.0%\n\n      5.a. If \xe2\x80\x9cNo,\xe2\x80\x9d provide potential recommendations for improving notification of\n           security related events.\n          The one \xe2\x80\x9cNo\xe2\x80\x9d respondent did not provide potential recommendations.\n\n\n\n\n                        Management Advisory Report on Cybersecurity\n\n                                          Page 48\n\x0cAppendix B\nSummary of Survey Results\n\n6. Does the OIG maintain a complete and accurate listing of\n   hardware/software/applications supporting OIG programs and operations?\n\n                                      Number of Respondents          Percentage of Respondents\n                                          to Question                       to Question\n    Yes                                            31                           75.6%\n    No                                              6                           14.6%\n    No Data Given                                   4                            9.8%\n    Grand Total                                    41                          100.0%\n\n7. What method does the OIG use for encryption of email messages?\n\n                                      Number of Respondents          Percentage of Respondents\n                                          to Question                       to Question\n    None                                         7                               12.7%\n    PKI                                         16                               29.1%\n    PGP                                          4                                7.3%\n    Manual/attachment only\n    encryption (i.e., Winzip or\n    other)                                         16                           29.1%\n    Other Encryption Method                         7                           12.7%\n    No Data Given                                   5                            9.1%\n    Grand Total                                    55                          100.0%\nNote: For question 7, the number of responses is greater than the 41 respondents\n      because respondents could pick more than one choice.\n\n8. Does the OIG utilize encryption to protect OIG sensitive data from unauthorized\n   access and disclosure?\n\n                                      Number of Respondents          Percentage of Respondents\n                                          to Question                       to Question\n    Yes                                            30                           73.2%\n    No                                              5                           12.2%\n    No Data Given                                   6                           14.6%\n    Grand Total                                    41                          100.0%\n\n\n\n\n                           Management Advisory Report on Cybersecurity\n\n                                             Page 49\n\x0cAppendix B\nSummary of Survey Results\n\n       8.a.    If \xe2\x80\x9cYes,\xe2\x80\x9d indicate whether the OIG has implemented these protections on\n               end user computers and storage devices.\n\n                                                                  Number of     Percentage of\n                                                                 Respondents    Respondents\n                                                                 to Question     to Question\n                Whole disk encryption has been\n                implemented on end user computers and\n                storage devices.                                        23              56.1%\n                Whole disk encryption has NOT been\n                implemented on end user computers and\n                storage devices.                                         5              12.2%\n                Answer to previous question was \xe2\x80\x9cYes\xe2\x80\x9d but\n                respondent did not answer 8.a                            2              4.9%\n                Answer to previous question was \xe2\x80\x9cNo\xe2\x80\x9d or no\n                data given                                              11           26.8%\n                Grand Total                                             41          100.0%\n\n\n\n9. Does the OIG have intrusion detection capability to monitor traffic on the OIG\xe2\x80\x99s\n   internal network?\n\n                                     Number of Respondents          Percentage of Respondents\n                                         to Question                       to Question\n     Yes                                          22                           53.7%\n     No                                           14                           34.1%\n     No Data Given                                 5                           12.2%\n     Grand Total                                  41                           100.0%\n\n10. Does the OIG have a security event correlation capability to identify security incidents?\n\n                                     Number of Respondents          Percentage of Respondents\n                                         to Question                       to Question\n     Yes                                          22                            53.7%\n     No                                           14                            34.1%\n     No Data Given                                 5                            12.2%\n     Grand Total                                  41                           100.0%\n\n\n\n\n                          Management Advisory Report on Cybersecurity\n\n                                            Page 50\n\x0cAppendix B\nSummary of Survey Results\n\n11. Does the OIG consistently review its system audit logs to detect unauthorized access\n    attempts to OIG systems?\n\n                                    Number of Respondents          Percentage of Respondents\n                                        to Question                       to Question\n    Yes                                                26                         63.4%\n    No                                                  9                         22.0%\n    No Data Given                                       6                         14.6%\n    Grand Total                                        41                        100.0%\n\n\n\n\n                         Management Advisory Report on Cybersecurity\n\n                                           Page 51\n\x0cAppendix C\nEmergency Management Case Study\n\nEmergency Management\n\nIt is the policy of the United States to have in place a comprehensive and effective\nprogram to ensure continuity of essential Federal functions under all circumstances. As a\nbaseline of preparedness for the full range of potential emergencies, all Federal agencies\nshall have in place a viable COOP capability which ensures the performance of their\nessential functions during any emergency or situation that may disrupt normal operations.\n\nCOOP planning is simply a \xe2\x80\x9cgood business practice\xe2\x80\x9d\xe2\x80\x94part of the fundamental mission of\nagencies as responsible and reliable public institutions. For years, COOP planning had\nbeen an individual agency responsibility primarily in response to emergencies within the\nconfines of the organization. The content and structure of COOP plans, operational\nstandards, and interagency coordination, if any, were left to the discretion of the agency.\n\nThe changing threat environment and recent emergencies, including localized acts of\nnature, accidents, technological emergencies, and military or terrorist attack-related\nincidents, have shifted awareness to the need for COOP capabilities that enable agencies\nto continue their essential functions across a broad spectrum of emergencies. Also, the\npotential for terrorist use of weapons of mass destruction has emphasized the need to\nprovide the President a capability which ensures continuity of essential government\nfunctions across the Federal Executive Branch.\n\nTo provide a focal point to orchestrate this expanded effort, Presidential Decision\nDirective 67 established the Federal Emergency Management Agency (FEMA) as the\nExecutive Agent for Federal Executive Branch COOP. Inherent in that role is the\nresponsibility to formulate guidance for agencies to use in developing viable, executable\nCOOP plans; facilitate interagency coordination as appropriate; and oversee and assess\nthe status of COOP capability across the Federal Executive Branch. Additionally, each\nagency is responsible for appointing a senior Federal government executive as an\nEmergency Coordinator to serve as program manager and agency point of contact for\ncoordinating agency COOP activities.\n\n\nSummary of OIG\xe2\x80\x99s Disaster Preparedness Activities\n\nDHS OIG participated in the COOP Eagle Horizon 2011 Exercise (EH-11) on Thursday,\nJune 23, 2011. EH-11 is the annual, integrated continuity exercise for all Federal\nExecutive Branch departments and agencies, as mandated by the National Continuity\nPolicy Implementation Plan, Federal Continuity Directive 1, and National Security\nPresidential Directive-51/Homeland Security Presidential Directive-20, National\nContinuity Policy.\n\nThe EH-11 exercise presents an opportunity to test organizational readiness and the\ncapability to execute continuity plans and programs. During the exercise, the Office of\nManagement, Information Technology Division (ITD), Infrastructure Branch was\nresponsible for three distinct responsibilities. The first task was the transferring (failover)\n                           Management Advisory Report on Cybersecurity\n\n                                             Page 52\n\x0cAppendix C\nEmergency Management Case Study\n\nof IT Mission Essential Functions (MEFs) 34 from OIG\xe2\x80\x99s primary location at\nHeadquarters in Washington, DC to the redundant disaster recovery site in Frisco, Texas.\nSecond, once the continuity of IT services was ensured through the successful transition\nof operations to the redundant site, actions were started to prepare for the full recovery\nand reconstitution (failback) of IT MEFs back to HQ. The third task was to form a\ntechnical Advance Response Team to travel to the FEMA, National Emergency Training\nCenter in Emmitsburg, Maryland to coordinate and support the OIG Emergency\nRelocation Group. The Advance Response Team was responsible for establishing\ncommunications and connectivity to the network as well as supporting technical issues\nfrom ERG members.\n\nSince 2004, DHS ITD has been heavily involved in preparing and testing for COOPs in\nthe OIG. In June 2009, ITD implemented its first major testing of the IT systems by\nfailing over core network infrastructure and email services to the disaster data center.\nWhile the tests were viewed as a success, there were several components that did not\nbehave as expected.\n\nITD began the planning for the 2011 COOP scenario in November of 2009. Once MEFs\nwere identified by senior management, several design changes were required to be made\nto the existing underlying architecture for the new requirements as well as to correct the\nproblems that were identified in the previous 2009 COOP tests. Starting in March of\n2010, ITD began to implement these changes on a monthly basis on the last Friday of\neach month during the monthly maintenance. In April of 2011, the final changes were\nimplemented on a bi-weekly basis.\n\n\nOIG\xe2\x80\x99s Lesson\xe2\x80\x99s Learned\n\nDHS OIG has fully participated in the annual DHS Eagle COOP exercise since 2005. As\na major lead in COOP preparedness, ITD\xe2\x80\x99s goals included establishing a redundant data\ncenter for COOP and full failover of all mission critical applications and infrastructure to\nthe designated location. During the last seven years, OIG has continually improved upon\nits disaster readiness through the continual improvements made to its COOP program.\nThe following chart summarizes lessons learned during the continual planning for and\nexecution of the annual COOP exercises.\n\n\n\n\n34\n  IT MEFs are categorized into three areas: 1) Core Network Infrastructure, 2) Messaging and\nCommunications, and 3) Files and Information.\n\n\n                             Management Advisory Report on Cybersecurity\n\n                                                Page 53\n\x0cAppendix C\nEmergency Management Case Study\n\n\n                   EVENT                                      LESSON LEARNED\nDuring first COOP exercise, DHS OIG                Identify MC applications as well as the\nidentified all MC applications but did not         infrastructure behind them.\ninclude the required underlying\ninfrastructure to support the applications.\nFor example, components such as active\ndirectory and SharePoint were initially\noverlooked.\nOIG users were not identified as MC and            After identifying MC systems, ensure\ntherefore were not available during COOP           proper authoritative personnel are aware of\ntests.                                             the selected systems as well as those that\n                                                   are not selected systems.\nSome essential account information,                Identify support information from prior\ninfrastructure diagrams and support                COOP exercises.\ninformation were not accessible with the\nprimary infrastructure offline.\nDuring first COOP exercise, applications     Create specific test plans customized for\nwere tested for failover prior to the actual each MC component and involve multiple\ntest and were successful. When the test      personnel in the documentation, testing,\ndate came, several tests failed for various  and execution of each specific MC\nreasons.                                     application; rotate a team to document and\n                                             test the plan.\nLarge call volume and inundation due to      Set realistic expectations for user\nbasic requests.                              population on resource availability; provide\n                                             a detailed explanation to your user base\n                                             specifically stating what resources will be\n                                             available.\nSeveral Virtual Private Network (VPN)        Allow your user community that will be\nusers waited until the exercise date to test teleworking to connect, verify, and test\ntheir VPN authentication and were            their capability to the network at least a\nunprepared to connect to the VPN.            week prior to the test.\nCould not calculate the increase or decrease Establish baseline statistics and metrics of\nin load on test date because the team did    MC applications and infrastructure prior to\nnot know how many people connected to        the actual test so that you can capture\nthe VPN on a daily basis.                    statistics.\n\n\n\n\n                           Management Advisory Report on Cybersecurity\n\n                                               Page 54\n\x0cAppendix D\nContributors to this Report\n\nThe CIGIE Cybersecurity Working Group consisted of representatives of the following\nOffices of the Inspectors General:\n\n\nCorporation for National and Community Service\nDepartment of Agriculture\nDepartment of Commerce\nDepartment of Defense\nDepartment of Education\nDepartment of Health and Human Services\nDepartment of Homeland Security\nDepartment of State\nDepartment of Transportation\nDepartment of Veterans Affairs\nFarm Credit Administration\nFederal Deposit Insurance Corporation\nNational Aeronautics and Space Administration\nNational Security Agency\nSecurities Exchange Commission\nSmall Business Administration\nSocial Security Administration\nTennessee Valley Authority\nTreasury Inspector General for Taxation Administration\nUnited States International Trade Commission\nUnited States Postal Service\n\n\n\n\n                        Management Advisory Report on Cybersecurity\n\n                                          Page 55\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"